From 8bd73c3452ab22ba9bdbaac5ab12de2ed25fcb9d Mon Sep 17 00:00:00 2001 From: Mahesh A Saptasagar Date: Tue, 27 Oct 2015 21:56:28 +0530 Subject: qcacld 2.0: Validate ioctls for valid input length prima to qcacld-2.0 propagation Return failure to applications if ioctl is invoked with arguments of improper length. Change-Id: I01589f37996510ee130485ef43e1f36811692e28 CRs-Fixed: 930542 --- CORE/HDD/src/wlan_hdd_hostapd.c | 61 +++++++++++++++++++++++++++++++---------- 1 file changed, 47 insertions(+), 14 deletions(-) diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c index 881400e..e4e1a63 100644 --- a/CORE/HDD/src/wlan_hdd_hostapd.c +++ b/CORE/HDD/src/wlan_hdd_hostapd.c @@ -5186,9 +5186,8 @@ static int __iw_softap_setwpsie(struct net_device *dev, case DOT11F_EID_WPA: if (wps_genie[1] < 2 + 4) { - vos_mem_free(pSap_WPSIe); - kfree(fwps_genie); - return -EINVAL; + ret = -EINVAL; + goto exit; } else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) { @@ -5246,6 +5245,11 @@ static int __iw_softap_setwpsie(struct net_device *dev, pos += 2; length = *pos<<8 | *(pos+1); pos += 2; + if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E)) + { + ret = -EINVAL; + goto exit; + } vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length); pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT; pos += length; @@ -5260,9 +5264,8 @@ static int __iw_softap_setwpsie(struct net_device *dev, default: hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1))); - vos_mem_free(pSap_WPSIe); - kfree(fwps_genie); - return -EINVAL; + ret = -EINVAL; + goto exit; } } } @@ -5274,9 +5277,8 @@ static int __iw_softap_setwpsie(struct net_device *dev, default: hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]); - vos_mem_free(pSap_WPSIe); - kfree(fwps_genie); - return 0; + ret = -EINVAL; + goto exit; } } else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE) @@ -5288,9 +5290,8 @@ static int __iw_softap_setwpsie(struct net_device *dev, case DOT11F_EID_WPA: if (wps_genie[1] < 2 + 4) { - vos_mem_free(pSap_WPSIe); - kfree(fwps_genie); - return -EINVAL; + ret = -EINVAL; + goto exit; } else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0) { @@ -5354,6 +5355,11 @@ static int __iw_softap_setwpsie(struct net_device *dev, pos += 2; length = *pos<<8 | *(pos+1); pos += 2; + if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E))) + { + ret = -EINVAL; + goto exit; + } vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length); pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT; pos += length; @@ -5363,6 +5369,11 @@ static int __iw_softap_setwpsie(struct net_device *dev, pos += 2; length = *pos<<8 | *(pos+1); pos += 2; + if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name))) + { + ret = -EINVAL; + goto exit; + } pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length; vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length); pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT; @@ -5373,6 +5384,11 @@ static int __iw_softap_setwpsie(struct net_device *dev, pos += 2; length = *pos<<8 | *(pos+1); pos += 2; + if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text))) + { + ret = -EINVAL; + goto exit; + } pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length; vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length); pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT; @@ -5382,6 +5398,11 @@ static int __iw_softap_setwpsie(struct net_device *dev, pos += 2; length = *pos<<8 | *(pos+1); pos += 2; + if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text))) + { + ret = -EINVAL; + goto exit; + } pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length; vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length); pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT; @@ -5391,6 +5412,11 @@ static int __iw_softap_setwpsie(struct net_device *dev, pos += 2; length = *pos<<8 | *(pos+1); pos += 2; + if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text))) + { + ret = -EINVAL; + goto exit; + } pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length; vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length); pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT; @@ -5414,6 +5440,11 @@ static int __iw_softap_setwpsie(struct net_device *dev, pos += 2; length = *pos<<8 | *(pos+1); pos += 2; + if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text))) + { + ret = -EINVAL; + goto exit; + } pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length; vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length); pos += length; @@ -5450,6 +5481,8 @@ static int __iw_softap_setwpsie(struct net_device *dev, #else halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe); #endif + if (halStatus != eHAL_STATUS_SUCCESS) + ret = -EINVAL; pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter); if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE) { @@ -5461,11 +5494,11 @@ static int __iw_softap_setwpsie(struct net_device *dev, WLANSAP_Update_WpsIe ( pVosContext ); #endif } - +exit: vos_mem_free(pSap_WPSIe); kfree(fwps_genie); EXIT(); - return halStatus; + return ret; } static int iw_softap_setwpsie(struct net_device *dev, -- cgit v1.1