From a4c5eefd5dd761445784963f3b6605d24d2bc3af Mon Sep 17 00:00:00 2001 From: Jeff Johnson Date: Tue, 29 Nov 2016 07:22:08 -0800 Subject: qcacld-3.0: Avoid overflow of roam subcmd params This is a qcacld-2.0 to qcacld-3.0 propagation. Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor command, for the following roam commands there are input validation issues: QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID Both of these commands have a "number of BSSIDs" attribute as well as a list of BSSIDs. However there is no validation that the number of BSSIDs provided won't overflow the destination buffer. In addition there is no validation that the number of BSSIDs actually provided matches the number of BSSIDs expected. To address these issues, for the above mentioned commands: * Verify that the expected number of BSSIDs doesn't exceed the maximum allowed number of BSSIDs * Verify that the actual number of BSSIDs supplied doesn't exceed the expected number of BSSIDs * Only process the actual number of supplied BSSIDs if it is less than the expected number of BSSIDs. Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6 CRs-Fixed: 1092497 --- core/hdd/src/wlan_hdd_cfg80211.c | 41 ++++++++++++++++++++++++++++++++++------ 1 file changed, 35 insertions(+), 6 deletions(-) diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index 169629a..c457140 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -2339,6 +2339,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1]; int rem, i; uint32_t buf_len = 0; + uint32_t count; int ret; ENTER_DEV(dev); @@ -2509,14 +2510,24 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, hdd_err("attr num of preferred bssid failed"); goto fail; } - roam_params.num_bssid_favored = nla_get_u32( + count = nla_get_u32( tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]); - hdd_debug("Num of Preferred BSSID (%d)", - roam_params.num_bssid_favored); + if (count > MAX_BSSID_FAVORED) { + hdd_err("Preferred BSSID count %u exceeds max %u", + count, MAX_BSSID_FAVORED); + goto fail; + } + hdd_debug("Num of Preferred BSSID (%d)", count); i = 0; nla_for_each_nested(curr_attr, tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS], rem) { + + if (i == count) { + hdd_warn("Ignoring excess Preferred BSSID"); + break; + } + if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, nla_data(curr_attr), nla_len(curr_attr), @@ -2545,6 +2556,10 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, roam_params.bssid_favored_factor[i]); i++; } + if (i < count) + hdd_warn("Num Preferred BSSID %u less than expected %u", + i, count); + roam_params.num_bssid_favored = i; sme_update_roam_params(pHddCtx->hHal, session_id, roam_params, REASON_ROAM_SET_FAVORED_BSSID); break; @@ -2554,14 +2569,24 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, hdd_err("attr num of blacklist bssid failed"); goto fail; } - roam_params.num_bssid_avoid_list = nla_get_u32( + count = nla_get_u32( tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]); - hdd_debug("Num of blacklist BSSID (%d)", - roam_params.num_bssid_avoid_list); + if (count > MAX_BSSID_AVOID_LIST) { + hdd_err("Blacklist BSSID count %u exceeds max %u", + count, MAX_BSSID_AVOID_LIST); + goto fail; + } + hdd_debug("Num of blacklist BSSID (%d)", count); i = 0; nla_for_each_nested(curr_attr, tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS], rem) { + + if (i == count) { + hdd_warn("Ignoring excess Blacklist BSSID"); + break; + } + if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, nla_data(curr_attr), nla_len(curr_attr), @@ -2582,6 +2607,10 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, roam_params.bssid_avoid_list[i].bytes)); i++; } + if (i < count) + hdd_warn("Num Blacklist BSSID %u less than expected %u", + i, count); + roam_params.num_bssid_avoid_list = i; sme_update_roam_params(pHddCtx->hHal, session_id, roam_params, REASON_ROAM_SET_BLACKLIST_BSSID); break; -- cgit v1.1