mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-03 03:40:59 -05:00
92 lines
3.6 KiB
Diff
92 lines
3.6 KiB
Diff
|
From ddc398c5d658b5b33c23dbca617e0d1d021a5c6d Mon Sep 17 00:00:00 2001
|
||
|
From: Srinivas Girigowda <sgirigow@codeaurora.org>
|
||
|
Date: Tue, 31 Jan 2017 14:32:12 -0800
|
||
|
Subject: [PATCH] qcacld-2.0: Avoid integer overflow in
|
||
|
wma_enable_arp_ns_offload
|
||
|
|
||
|
In the function wma_enable_arp_ns_offload(), the len variable is
|
||
|
defined as signed 32 bit, whereas wmi_buf_alloc() takes unsigned
|
||
|
16 bit as input also there is no limit on input of
|
||
|
num_ns_offload_count.
|
||
|
|
||
|
Fix is to define the len variable in wma_enable_arp_ns_offload()
|
||
|
as unsigned 32 bit. The length input for wmi_buf_alloc() is also
|
||
|
extended and re-defined as unsigned 32 bit. Add limit check before
|
||
|
using num_ns_offload_count.
|
||
|
|
||
|
Change-Id: I5063df9551074e964eef67abeb8afcf104e50808
|
||
|
CRs-Fixed: 1103099
|
||
|
Bug: 32658595
|
||
|
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
||
|
---
|
||
|
drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h | 4 ++--
|
||
|
drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c | 7 ++++++-
|
||
|
drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c | 4 ++--
|
||
|
3 files changed, 10 insertions(+), 5 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h b/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h
|
||
|
index cd9f923beca83..2912d471158f7 100644
|
||
|
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h
|
||
|
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/COMMON/wmi_unified_api.h
|
||
|
@@ -1,5 +1,5 @@
|
||
|
/*
|
||
|
- * Copyright (c) 2013-2014 The Linux Foundation. All rights reserved.
|
||
|
+ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
|
||
|
*
|
||
|
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||
|
*
|
||
|
@@ -69,7 +69,7 @@ wmi_unified_remove_work(struct wmi_unified* wmi_handle);
|
||
|
* @return wmi_buf_t.
|
||
|
*/
|
||
|
wmi_buf_t
|
||
|
-wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len);
|
||
|
+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len);
|
||
|
|
||
|
|
||
|
/**
|
||
|
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
|
||
|
index 72564ac017ebe..9ca604952e03b 100644
|
||
|
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
|
||
|
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
|
||
|
@@ -24576,7 +24576,7 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma,
|
||
|
WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param *cmd;
|
||
|
A_UINT8* buf_ptr;
|
||
|
wmi_buf_t buf;
|
||
|
- int32_t len;
|
||
|
+ uint32_t len;
|
||
|
VOS_STATUS status = VOS_STATUS_SUCCESS;
|
||
|
u_int8_t vdev_id;
|
||
|
tpSirHostOffloadReq ns_offload_req;
|
||
|
@@ -24610,6 +24610,11 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma,
|
||
|
count = hostoffloadreq->num_ns_offload_count;
|
||
|
}
|
||
|
|
||
|
+ if (count >= SIR_MAC_NUM_TARGET_IPV6_NS_OFFLOAD_NA) {
|
||
|
+ status = VOS_STATUS_E_INVAL;
|
||
|
+ goto err_vdev;
|
||
|
+ }
|
||
|
+
|
||
|
len = sizeof(WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param) +
|
||
|
WMI_TLV_HDR_SIZE + /* Add size for array of NS tuples */
|
||
|
WMI_MAX_NS_OFFLOADS*sizeof(WMI_NS_OFFLOAD_TUPLE) +
|
||
|
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c
|
||
|
index fe72942417bbc..11107d6a5b6d8 100644
|
||
|
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c
|
||
|
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMI/wmi_unified.c
|
||
|
@@ -1,5 +1,5 @@
|
||
|
/*
|
||
|
- * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
|
||
|
+ * Copyright (c) 2014-2017 The Linux Foundation. All rights reserved.
|
||
|
*
|
||
|
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||
|
*
|
||
|
@@ -131,7 +131,7 @@ uint16_t wmi_get_max_msg_len(wmi_unified_t wmi_handle)
|
||
|
}
|
||
|
|
||
|
wmi_buf_t
|
||
|
-wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len)
|
||
|
+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len)
|
||
|
{
|
||
|
wmi_buf_t wmi_buf;
|
||
|
|