DivestOS/Patches/Linux_CVEs/CVE-2017-0439/qcacld-3.0/0002.patch

From ff866a1e9a0f653252b5d5b7eb087374c5bad65d Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Fri, 18 Nov 2016 11:44:29 -0800
Subject: qcacld-3.0: Avoid overflow of passpoint network list

This is a qcacld-2.0 to qcacld-3.0 propagation.

Currently when processing a passpoint vendor command the "num
networks" attribute is limit checked and if it exceeds a MAX value
then the command is rejected. Otherwise this value is used to
calculate the size of the buffer allocated to hold the internal
representation of the request. However later when the network
attributes are parsed there is no check to make sure the number of
networks processed does not exceed the "num networks" used to allocate
memory, and as a result a buffer overflow can occur. Address this
issue by aborting the network parsing once "num networks" records have
been parsed.

Change-Id: I38d9f19b08b42fa9a850eb70a42920fbc3b99cf6
CRs-Fixed: 1092059
---
 core/hdd/src/wlan_hdd_ext_scan.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
index 6515bd4..44c574b 100644
--- a/core/hdd/src/wlan_hdd_ext_scan.c
+++ b/core/hdd/src/wlan_hdd_ext_scan.c
@@ -4080,11 +4080,19 @@ static int hdd_extscan_passpoint_fill_network_list(
 	struct nlattr *networks;
 	int rem1, len;
 	uint8_t index;
+	uint32_t expected_networks;
 
+	expected_networks = req_msg->num_networks;
 	index = 0;
 	nla_for_each_nested(networks,
 		tb[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NETWORK_ARRAY],
 		rem1) {
+
+		if (index == expected_networks) {
+			hdd_warn("ignoring excess networks");
+			break;
+		}
+
 		if (nla_parse(network,
 			QCA_WLAN_VENDOR_ATTR_PNO_MAX,
 			nla_data(networks), nla_len(networks), NULL)) {
@@ -4143,6 +4151,7 @@ static int hdd_extscan_passpoint_fill_network_list(
 
 		index++;
 	}
+	req_msg->num_networks = index;
 	return 0;
 }
 
-- 
cgit v1.1