From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001 From: Jeff Johnson Date: Mon, 28 Nov 2016 09:19:02 -0800 Subject: qcacld-2.0: Avoid overflow of roam subcmd params Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor command, for the following roam commands there are input validation issues: QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID Both of these commands have a "number of BSSIDs" attribute as well as a list of BSSIDs. However there is no validation that the number of BSSIDs provided won't overflow the destination buffer. In addition there is no validation that the number of BSSIDs actually provided matches the number of BSSIDs expected. To address these issues, for the above mentioned commands: * Verify that the expected number of BSSIDs doesn't exceed the maximum allowed number of BSSIDs * Verify that the actual number of BSSIDs supplied doesn't exceed the expected number of BSSIDs * Only process the actual number of supplied BSSIDs if it is less than the expected number of BSSIDs. Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6 CRs-Fixed: 1092497 --- CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------ 1 file changed, 37 insertions(+), 6 deletions(-) diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c index b3c265c..800d123 100644 --- a/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1]; int rem, i; uint32_t buf_len = 0; + uint32_t count; int ret; if (VOS_FTM_MODE == hdd_get_conparam()) { @@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, hddLog(LOGE, FL("attr num of preferred bssid failed")); goto fail; } - roam_params.num_bssid_favored = nla_get_u32( + count = nla_get_u32( tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]); + if (count > MAX_BSSID_FAVORED) { + hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"), + count, MAX_BSSID_FAVORED); + goto fail; + } hddLog(VOS_TRACE_LEVEL_DEBUG, - FL("Num of Preferred BSSID (%d)"), - roam_params.num_bssid_favored); + FL("Num of Preferred BSSID: %d"), count); i = 0; nla_for_each_nested(curr_attr, tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS], rem) { + + if (i == count) { + hddLog(LOGW, FL("Ignoring excess Preferred BSSID")); + break; + } + if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, nla_data(curr_attr), nla_len(curr_attr), @@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, roam_params.bssid_favored_factor[i]); i++; } + if (i < count) + hddLog(LOGW, + FL("Num Preferred BSSID %u less than expected %u"), + i, count); + roam_params.num_bssid_favored = i; sme_update_roam_params(pHddCtx->hHal, session_id, roam_params, REASON_ROAM_SET_FAVORED_BSSID); break; @@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, hddLog(LOGE, FL("attr num of blacklist bssid failed")); goto fail; } - roam_params.num_bssid_avoid_list = nla_get_u32( + count = nla_get_u32( tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]); + if (count > MAX_BSSID_AVOID_LIST) { + hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"), + count, MAX_BSSID_AVOID_LIST); + goto fail; + } hddLog(VOS_TRACE_LEVEL_DEBUG, - FL("Num of blacklist BSSID (%d)"), - roam_params.num_bssid_avoid_list); + FL("Num of blacklist BSSID: %d"), count); i = 0; nla_for_each_nested(curr_attr, tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS], rem) { + + if (i == count) { + hddLog(LOGW, FL("Ignoring excess Blacklist BSSID")); + break; + } + if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, nla_data(curr_attr), nla_len(curr_attr), @@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, roam_params.bssid_avoid_list[i])); i++; } + if (i < count) + hddLog(LOGW, + FL("Num Blacklist BSSID %u less than expected %u"), + i, count); + roam_params.num_bssid_avoid_list = i; sme_update_roam_params(pHddCtx->hHal, session_id, roam_params, REASON_ROAM_SET_BLACKLIST_BSSID); break; -- cgit v1.1