mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-17 10:27:26 -05:00
61 lines
2.3 KiB
Diff
61 lines
2.3 KiB
Diff
|
From 08ccf853c567bf02f4a5c9f9aef19a40ecdf57d1 Mon Sep 17 00:00:00 2001
|
||
|
From: Insun Song <insun.song@broadcom.com>
|
||
|
Date: Mon, 5 Jun 2017 14:39:26 -0700
|
||
|
Subject: net: wireless: bcmdhd: adding boundary check for pfn events
|
||
|
|
||
|
adding boundary check for bssid count in dhd_pno_process_epno_result
|
||
|
and dhd_handle_hotlist_scan_evt function to prevent heap overflow.
|
||
|
|
||
|
Signed-off-by: Insun Song <insun.song@broadcom.com>
|
||
|
Bug: 37722328
|
||
|
Bug: 37722970
|
||
|
Change-Id: I1f0bc25ef4e7f5ba8f1aa9d9271919ee84d780a1
|
||
|
---
|
||
|
drivers/net/wireless/bcmdhd/dhd_pno.c | 16 ++++++++++++++--
|
||
|
1 file changed, 14 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
|
||
|
index 8ebdf53..1a8e4ee 100644
|
||
|
--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
|
||
|
+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
|
||
|
@@ -92,6 +92,11 @@
|
||
|
#define ENTRY_OVERHEAD strlen("bssid=\nssid=\nfreq=\nlevel=\nage=\ndist=\ndistSd=\n====")
|
||
|
#define TIME_MIN_DIFF 5
|
||
|
|
||
|
+#define EVENT_DATABUF_MAXLEN (512 - sizeof(bcm_event_t))
|
||
|
+#define EVENT_MAX_NETCNT \
|
||
|
+ ((EVENT_DATABUF_MAXLEN - sizeof(wl_pfn_scanresults_t)) \
|
||
|
+ / sizeof(wl_pfn_net_info_t) + 1)
|
||
|
+
|
||
|
#ifdef GSCAN_SUPPORT
|
||
|
static int _dhd_pno_flush_ssid(dhd_pub_t *dhd);
|
||
|
static wl_pfn_gscan_ch_bucket_cfg_t *
|
||
|
@@ -3575,7 +3580,12 @@ dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data, uint32 event, int
|
||
|
if (event == WLC_E_PFN_NET_FOUND || event == WLC_E_PFN_NET_LOST) {
|
||
|
wl_pfn_scanresults_t *pfn_result = (wl_pfn_scanresults_t *)data;
|
||
|
wl_pfn_net_info_t *net;
|
||
|
-
|
||
|
+ if ((pfn_result->count == 0) ||
|
||
|
+ (pfn_result->count > EVENT_MAX_NETCNT)) {
|
||
|
+ DHD_ERROR(("%s event %d: incorrect results count:%d\n",
|
||
|
+ __FUNCTION__, event, pfn_result->count));
|
||
|
+ return NULL;
|
||
|
+ }
|
||
|
if (pfn_result->version != PFN_SCANRESULT_VERSION) {
|
||
|
DHD_ERROR(("%s event %d: Incorrect version %d %d\n", __FUNCTION__, event,
|
||
|
pfn_result->version, PFN_SCANRESULT_VERSION));
|
||
|
@@ -3690,7 +3700,9 @@ void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data, int *s
|
||
|
|
||
|
gscan_params = &(_pno_state->pno_params_arr[INDEX_OF_GSCAN_PARAMS].params_gscan);
|
||
|
|
||
|
- if (!results->count) {
|
||
|
+ if ((results->count == 0) || (results->count > EVENT_MAX_NETCNT)) {
|
||
|
+ DHD_ERROR(("%s: wrong count:%d\n", __FUNCTION__,
|
||
|
+ results->count));
|
||
|
*send_evt_bytes = 0;
|
||
|
return ptr;
|
||
|
}
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|