mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-20 04:11:32 -05:00
57 lines
1.9 KiB
Diff
57 lines
1.9 KiB
Diff
|
From c6597e015a7ce5ee71d3725fc55e64fc50923f4e Mon Sep 17 00:00:00 2001
|
||
|
From: Jeff Johnson <jjohnson@codeaurora.org>
|
||
|
Date: Wed, 9 Nov 2016 10:23:02 -0800
|
||
|
Subject: qcacld-2.0: Avoid overflow of EPNO network list
|
||
|
|
||
|
Currently when processing an EPNO vendor command the "num networks"
|
||
|
attribute is limit checked and if it exceeds a MAX value then it is
|
||
|
reset to that MAX value. This value is then used to calculate the size
|
||
|
of the buffer allocated to hold the internal representation of the
|
||
|
request. However later when the network attributes are parsed there is
|
||
|
no check to make sure the number of networks processed does not exceed
|
||
|
the (possibly modified) "num networks" used to allocate memory, and as
|
||
|
a result a buffer overflow can occur. Address this issue by aborting
|
||
|
the network parsing once "num networks" records have been parsed.
|
||
|
|
||
|
Change-Id: I6e5f321d23471d082bb000ad0422ea9baa76577a
|
||
|
CRs-Fixed: 1087807
|
||
|
---
|
||
|
CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
|
||
|
1 file changed, 9 insertions(+)
|
||
|
|
||
|
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
||
|
index 92cbb67..233482d 100644
|
||
|
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
|
||
|
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
||
|
@@ -4825,11 +4825,19 @@ static int hdd_extscan_epno_fill_network_list(
|
||
|
struct nlattr *networks;
|
||
|
int rem1, ssid_len;
|
||
|
uint8_t index, *ssid;
|
||
|
+ uint32_t expected_networks;
|
||
|
|
||
|
+ expected_networks = req_msg->num_networks;
|
||
|
index = 0;
|
||
|
nla_for_each_nested(networks,
|
||
|
tb[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST],
|
||
|
rem1) {
|
||
|
+
|
||
|
+ if (index == expected_networks) {
|
||
|
+ hddLog(LOGW, FL("ignoring excess networks"));
|
||
|
+ break;
|
||
|
+ }
|
||
|
+
|
||
|
if (nla_parse(network, QCA_WLAN_VENDOR_ATTR_PNO_MAX,
|
||
|
nla_data(networks), nla_len(networks),
|
||
|
wlan_hdd_pno_config_policy)) {
|
||
|
@@ -4883,6 +4891,7 @@ static int hdd_extscan_epno_fill_network_list(
|
||
|
|
||
|
index++;
|
||
|
}
|
||
|
+ req_msg->num_networks = index;
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|