2017-11-07 18:55:10 -05:00
|
|
|
From 055561f40f2baa5cdd74f952be55b61a3907279a Mon Sep 17 00:00:00 2001
|
|
|
|
From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
|
|
|
|
Date: Wed, 28 Oct 2015 16:56:58 -0700
|
2017-11-07 17:32:46 -05:00
|
|
|
Subject: qcacld 2.0: Validate WPA and RSN IE for valid length
|
|
|
|
|
|
|
|
prima to qcacld-2.0 propagation
|
|
|
|
|
|
|
|
Return failure to applications if genie ioctl is invoked to configure
|
|
|
|
WPS/WPA/RSN IEs with arguments of improper length.
|
|
|
|
|
|
|
|
CRs-Fixed: 931451
|
2017-11-07 18:55:10 -05:00
|
|
|
Bug: 25344453
|
|
|
|
Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
|
2017-11-07 17:32:46 -05:00
|
|
|
---
|
2017-11-07 18:55:10 -05:00
|
|
|
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c | 37 ++++++++++++++++------
|
|
|
|
1 file changed, 27 insertions(+), 10 deletions(-)
|
2017-11-07 17:32:46 -05:00
|
|
|
|
2017-11-07 18:55:10 -05:00
|
|
|
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
|
|
|
|
index 38a13fa..93136df 100644
|
|
|
|
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
|
|
|
|
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_wext.c
|
|
|
|
@@ -2270,11 +2270,12 @@ static int iw_set_genie(struct net_device *dev,
|
|
|
|
union iwreq_data *wrqu,
|
|
|
|
char *extra)
|
|
|
|
{
|
|
|
|
- hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
|
|
|
|
+ hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
|
|
|
|
hdd_wext_state_t *pWextState = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
|
|
|
|
u_int8_t *genie = NULL;
|
|
|
|
u_int8_t *base_genie = NULL;
|
|
|
|
v_U16_t remLen;
|
|
|
|
+ int ret = 0;
|
|
|
|
|
|
|
|
ENTER();
|
|
|
|
|
|
|
|
@@ -2324,8 +2325,8 @@ static int iw_set_genie(struct net_device *dev,
|
2017-11-07 17:32:46 -05:00
|
|
|
case IE_EID_VENDOR:
|
|
|
|
if ((IE_LEN_SIZE+IE_EID_SIZE+IE_VENDOR_OUI_SIZE) > eLen) /* should have at least OUI */
|
|
|
|
{
|
|
|
|
- kfree(base_genie);
|
|
|
|
- return -EINVAL;
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (0 == memcmp(&genie[0], "\x00\x50\xf2\x04", 4))
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2339,8 +2340,8 @@ static int iw_set_genie(struct net_device *dev,
|
2017-11-07 17:32:46 -05:00
|
|
|
hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
|
|
|
|
"Need bigger buffer space");
|
|
|
|
VOS_ASSERT(0);
|
|
|
|
- kfree(base_genie);
|
|
|
|
- return -ENOMEM;
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ goto exit;
|
|
|
|
}
|
|
|
|
// save to Additional IE ; it should be accumulated to handle WPS IE + other IE
|
|
|
|
memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2349,6 +2350,14 @@ static int iw_set_genie(struct net_device *dev,
|
2017-11-07 17:32:46 -05:00
|
|
|
else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3))
|
|
|
|
{
|
|
|
|
hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2);
|
|
|
|
+ if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
|
|
|
|
+ {
|
|
|
|
+ hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
|
|
|
|
+ "Need bigger buffer space");
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ VOS_ASSERT(0);
|
|
|
|
+ goto exit;
|
|
|
|
+ }
|
|
|
|
memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
|
|
|
|
memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
|
|
|
|
pWextState->roamProfile.pWPAReqIE = pWextState->WPARSNIE;
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2365,8 +2374,8 @@ static int iw_set_genie(struct net_device *dev,
|
2017-11-07 17:32:46 -05:00
|
|
|
hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
|
|
|
|
"Need bigger buffer space");
|
|
|
|
VOS_ASSERT(0);
|
|
|
|
- kfree(base_genie);
|
|
|
|
- return -ENOMEM;
|
|
|
|
+ ret = -ENOMEM;
|
|
|
|
+ goto exit;
|
|
|
|
}
|
|
|
|
// save to Additional IE ; it should be accumulated to handle WPS IE + other IE
|
|
|
|
memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2375,6 +2384,14 @@ static int iw_set_genie(struct net_device *dev,
|
2017-11-07 17:32:46 -05:00
|
|
|
break;
|
|
|
|
case DOT11F_EID_RSN:
|
|
|
|
hddLog (LOG1, "%s Set RSN IE (len %d)",__func__, eLen+2);
|
|
|
|
+ if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
|
|
|
|
+ {
|
|
|
|
+ hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
|
|
|
|
+ "Need bigger buffer space");
|
|
|
|
+ ret = -EINVAL;
|
|
|
|
+ VOS_ASSERT(0);
|
|
|
|
+ goto exit;
|
|
|
|
+ }
|
|
|
|
memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
|
|
|
|
memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
|
|
|
|
pWextState->roamProfile.pRSNReqIE = pWextState->WPARSNIE;
|
2017-11-07 18:55:10 -05:00
|
|
|
@@ -2383,15 +2400,15 @@ static int iw_set_genie(struct net_device *dev,
|
2017-11-07 17:32:46 -05:00
|
|
|
|
|
|
|
default:
|
|
|
|
hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
|
|
|
|
- kfree(base_genie);
|
|
|
|
- return 0;
|
|
|
|
+ goto exit;
|
|
|
|
}
|
|
|
|
genie += eLen;
|
|
|
|
remLen -= eLen;
|
|
|
|
}
|
|
|
|
+exit:
|
|
|
|
EXIT();
|
|
|
|
kfree(base_genie);
|
|
|
|
- return 0;
|
|
|
|
+ return ret;
|
|
|
|
}
|
|
|
|
|
2017-11-07 18:55:10 -05:00
|
|
|
static int iw_get_genie(struct net_device *dev,
|
2017-11-07 17:32:46 -05:00
|
|
|
--
|
|
|
|
cgit v1.1
|
|
|
|
|