mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
51 lines
2.3 KiB
Diff
51 lines
2.3 KiB
Diff
|
From 58350a7bcb827c0ac81f0750a62d5c5a8ed3a469 Mon Sep 17 00:00:00 2001
|
||
|
From: Jeff Johnson <jjohnson@codeaurora.org>
|
||
|
Date: Tue, 6 Jun 2017 08:56:33 -0700
|
||
|
Subject: qcacld-2.0: Avoid extscan bucket spec overread
|
||
|
|
||
|
Currently in hdd_extscan_start_fill_bucket_channel_spec() the
|
||
|
QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC attribute is parsed without
|
||
|
specifying a policy. This means that no policy is enforced.
|
||
|
Subsequently the values of the nested attributes are retrieved, but
|
||
|
again without any length limits enforced. This could result in a
|
||
|
buffer overread.
|
||
|
To prevent this issue:
|
||
|
* Parse using the existing policy wlan_hdd_extscan_config_policy
|
||
|
* Update the policy to add missing attributes
|
||
|
|
||
|
Change-Id: I3b20cb28d1beccd2e804b022b531413ad1edb533
|
||
|
CRs-Fixed: 2057034
|
||
|
---
|
||
|
CORE/HDD/src/wlan_hdd_cfg80211.c | 8 ++++++--
|
||
|
1 file changed, 6 insertions(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
||
|
index 1f6be81..078b4fd 100644
|
||
|
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
|
||
|
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
||
|
@@ -850,6 +850,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
|
||
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_LOST_AP_SAMPLE_SIZE] = { .type = NLA_U32 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_MIN_BREACHING] = { .type = NLA_U32 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP] = { .type = NLA_U32 },
|
||
|
+ [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_MAX_PERIOD] = { .type = NLA_U32 },
|
||
|
+ [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_BASE] = { .type = NLA_U32 },
|
||
|
+ [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_STEP_COUNT] = { .type = NLA_U32 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_SSID] = { .type = NLA_BINARY,
|
||
|
.len = IEEE80211_MAX_SSID_LEN + 1 },
|
||
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_LOST_SSID_SAMPLE_SIZE] = { .type = NLA_U32 },
|
||
|
@@ -3533,8 +3536,9 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
|
||
|
}
|
||
|
|
||
|
if (nla_parse(bucket,
|
||
|
- QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
|
||
|
- nla_data(buckets), nla_len(buckets), NULL)) {
|
||
|
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
|
||
|
+ nla_data(buckets), nla_len(buckets),
|
||
|
+ wlan_hdd_extscan_config_policy)) {
|
||
|
hddLog(LOGE, FL("nla_parse failed"));
|
||
|
return -EINVAL;
|
||
|
}
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|