DivestOS/Patches/Linux_CVEs/CVE-2017-0575/ANY/0.patch

85 lines
2.9 KiB
Diff
Raw Normal View History

From 0440277461826c6f2122ef3ffca51358cc823fd2 Mon Sep 17 00:00:00 2001
From: Ashish Kumar Goswami <agoswa@codeaurora.org>
Date: Fri, 23 Dec 2016 13:20:45 +0530
Subject: qcacld-2.0: Avoid integer overflow in wma_enable_arp_ns_offload
In the function wma_enable_arp_ns_offload(), the len variable is
defined as signed 32 bit, whereas wmi_buf_alloc() takes unsigned
16 bit as input also there is no limit on input of
num_ns_offload_count.
Fix is to define the len variable in wma_enable_arp_ns_offload()
as unsigned 32 bit. The length input for wmi_buf_alloc() is also
extended and re-defined as unsigned 32 bit. Add limit check before
using num_ns_offload_count.
Change-Id: I5063df9551074e964eef67abeb8afcf104e50808
CRs-Fixed: 1103099
---
CORE/SERVICES/COMMON/wmi_unified_api.h | 4 ++--
CORE/SERVICES/WMA/wma.c | 7 ++++++-
CORE/SERVICES/WMI/wmi_unified.c | 2 +-
3 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/CORE/SERVICES/COMMON/wmi_unified_api.h b/CORE/SERVICES/COMMON/wmi_unified_api.h
index cd9f923..2912d47 100644
--- a/CORE/SERVICES/COMMON/wmi_unified_api.h
+++ b/CORE/SERVICES/COMMON/wmi_unified_api.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2013-2014 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -69,7 +69,7 @@ wmi_unified_remove_work(struct wmi_unified* wmi_handle);
* @return wmi_buf_t.
*/
wmi_buf_t
-wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len);
+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len);
/**
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
index 6810329..243c2cc 100644
--- a/CORE/SERVICES/WMA/wma.c
+++ b/CORE/SERVICES/WMA/wma.c
@@ -26726,7 +26726,7 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma,
WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param *cmd;
A_UINT8* buf_ptr;
wmi_buf_t buf;
- int32_t len;
+ uint32_t len;
VOS_STATUS status = VOS_STATUS_SUCCESS;
u_int8_t vdev_id;
tpSirHostOffloadReq ns_offload_req;
@@ -26760,6 +26760,11 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma,
count = hostoffloadreq->num_ns_offload_count;
}
+ if (count >= SIR_MAC_NUM_TARGET_IPV6_NS_OFFLOAD_NA) {
+ status = VOS_STATUS_E_INVAL;
+ goto err_vdev;
+ }
+
len = sizeof(WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param) +
WMI_TLV_HDR_SIZE + /* Add size for array of NS tuples */
WMI_MAX_NS_OFFLOADS*sizeof(WMI_NS_OFFLOAD_TUPLE) +
diff --git a/CORE/SERVICES/WMI/wmi_unified.c b/CORE/SERVICES/WMI/wmi_unified.c
index b0ace6c..150bd3e 100644
--- a/CORE/SERVICES/WMI/wmi_unified.c
+++ b/CORE/SERVICES/WMI/wmi_unified.c
@@ -131,7 +131,7 @@ uint16_t wmi_get_max_msg_len(wmi_unified_t wmi_handle)
}
wmi_buf_t
-wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len)
+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len)
{
wmi_buf_t wmi_buf;
--
cgit v1.1