DivestOS/Patches/Linux_CVEs/CVE-2017-0633/ANY/0001.patch

129 lines
3.5 KiB
Diff
Raw Normal View History

From 4e38c573e81eb76f09bae425f035be392fbab370 Mon Sep 17 00:00:00 2001
From: Insun Song <insun.song@broadcom.com>
Date: Fri, 24 Mar 2017 14:04:03 -0700
Subject: [PATCH] net: wireless: bcmdhd: fix for IOVAR GET failed
found some case that IOVAR callers set response buffer not enough to
contain input command string + argument. so it finally fail in IOVAR
transaction by its shorter buffer length.
proposed fix is taking care this case by providing enough local
buffer inside dhd_iovar, which enough to input/output.
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 36000515
Change-Id: I0afedcc29b05b12f42ebc619e6feeaa868fc00de
---
drivers/net/wireless/bcmdhd/dhd_linux.c | 81 ++++++++++++++++++++++++---------
1 file changed, 59 insertions(+), 22 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
index 17e503c6d6b35..0b66e914c15a0 100644
--- a/drivers/net/wireless/bcmdhd/dhd_linux.c
+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
@@ -6257,45 +6257,82 @@ dhd_iovar(dhd_pub_t *pub, int ifidx, char *name, char *param_buf,
return BCME_BADARG;
input_len = strlen(name) + 1 + param_len;
+ if (input_len > WLC_IOCTL_MAXLEN)
+ return BCME_BADARG;
+ buf = NULL;
if (set) {
if (res_buf || res_len != 0) {
DHD_ERROR(("%s: SET wrong arguemnet\n", __FUNCTION__));
return BCME_BADARG;
}
- buf = kzalloc(input_len, GFP_ATOMIC);
+ buf = kzalloc(input_len, GFP_KERNEL);
if (!buf) {
DHD_ERROR(("%s: mem alloc failed\n", __FUNCTION__));
return BCME_NOMEM;
}
ret = bcm_mkiovar(name, param_buf, param_len, buf, input_len);
+ if (!ret) {
+ ret = BCME_NOMEM;
+ goto exit;
+ }
+
+ ioc.cmd = WLC_SET_VAR;
+ ioc.buf = buf;
+ ioc.len = input_len;
+ ioc.set = set;
+
+ ret = dhd_wl_ioctl(pub, ifidx, &ioc, ioc.buf, ioc.len);
+
} else {
- if (!res_buf) {
- DHD_ERROR(("%s: GET failed. resp_buf NULL\n",
+ if (!res_buf || res_len == 0) {
+ DHD_ERROR(("%s: GET failed. resp_buf NULL or len:0\n",
__FUNCTION__));
return BCME_NOMEM;
}
if (res_len < input_len) {
- DHD_ERROR(("%s: res_len(%d) < input_len(%d)\n",
- __FUNCTION__, res_len, input_len));
- return BCME_NOMEM;
- }
- memset(res_buf, 0, res_len);
- ret = bcm_mkiovar(name, param_buf, param_len, res_buf, res_len);
- }
- if (ret == 0) {
- if (set)
- kfree(buf);
- return BCME_NOMEM;
- }
+ DHD_INFO(("%s: res_len(%d) < input_len(%d)\n",
+ __FUNCTION__, res_len, input_len));
+ buf = kzalloc(input_len, GFP_KERNEL);
+ if (!buf) {
+ DHD_ERROR(("%s: mem alloc failed\n",
+ __FUNCTION__));
+ return BCME_NOMEM;
+ }
+ ret = bcm_mkiovar(name, param_buf, param_len, buf,
+ input_len);
+ if (!ret) {
+ ret = BCME_NOMEM;
+ goto exit;
+ }
- ioc.cmd = set ? WLC_SET_VAR : WLC_GET_VAR;
- ioc.buf = set ? buf : res_buf;
- ioc.len = set ? ret : res_len;
- ioc.set = set;
+ ioc.cmd = WLC_GET_VAR;
+ ioc.buf = buf;
+ ioc.len = input_len;
+ ioc.set = set;
- ret = dhd_wl_ioctl(pub, ifidx, &ioc, ioc.buf, ioc.len);
- if (set)
- kfree(buf);
+ ret = dhd_wl_ioctl(pub, ifidx, &ioc, ioc.buf, ioc.len);
+
+ if (ret == BCME_OK)
+ memcpy(res_buf, buf, res_len);
+ } else {
+ memset(res_buf, 0, res_len);
+ ret = bcm_mkiovar(name, param_buf, param_len, res_buf,
+ res_len);
+ if (!ret) {
+ ret = BCME_NOMEM;
+ goto exit;
+ }
+
+ ioc.cmd = WLC_GET_VAR;
+ ioc.buf = res_buf;
+ ioc.len = res_len;
+ ioc.set = set;
+
+ ret = dhd_wl_ioctl(pub, ifidx, &ioc, ioc.buf, ioc.len);
+ }
+ }
+exit:
+ kfree(buf);
return ret;
}