From 42a28a93ef19863c39ade86843efb83efc845344 Mon Sep 17 00:00:00 2001 From: Ravi Kumar Bokka Date: Mon, 12 Jun 2017 21:34:30 +0530 Subject: [PATCH] qcacld-2.0: Validate vendor set roaming params command Currently there is no nl policy defined for vendor sub command QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX which may result in buffer overread error. To resolve this, add nl policy. Bug: 36816726 Change-Id: Ib5d3c34dbcec29a98766753efc4e9c4ecf748c2e CRs-Fixed: 2059701 Signed-off-by: Ecco Park --- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 51 ++++++++++++++++++++-- 1 file changed, 47 insertions(+), 4 deletions(-) diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c index b788566363d87..5ca269bab9cf6 100644 --- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -1809,6 +1809,49 @@ wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy, return ret; } +#define MAX_ROAMING_PARAM \ + QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + +static const struct nla_policy +wlan_hdd_set_roam_param_policy[MAX_ROAMING_PARAM + 1] = { + [QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD] = {.type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_REQ_ID] = {.type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID_NUM_NETWORKS] = { + .type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID_LIST] = { + .type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID] = { + .type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_BOOST_THRESHOLD] = { + .type = NLA_S32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_PENALTY_THRESHOLD] = { + .type = NLA_S32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_BOOST_FACTOR] = { + .type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_PENALTY_FACTOR] = { + .type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_MAX_BOOST] = { + .type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_LAZY_ROAM_HISTERESYS] = { + .type = NLA_S32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_ALERT_ROAM_RSSI_TRIGGER] = { + .type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_ENABLE] = { + .type = NLA_S32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID] = { + .type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_BSSID] = { + .type = NLA_BINARY, + .len = MAC_ADDRESS_STR_LEN}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_RSSI_MODIFIER] = { + .type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID] = { + .type = NLA_U32}, + [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_BSSID] = { + .type = NLA_BINARY, + .len = MAC_ADDRESS_STR_LEN}, +}; + static int __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, struct wireless_dev *wdev, @@ -1840,7 +1883,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, data, data_len, - NULL)) { + wlan_hdd_set_roam_param_policy)) { hddLog(LOGE, FL("Invalid ATTR")); return -EINVAL; } @@ -1869,7 +1912,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_MAX, nla_data(curr_attr), nla_len(curr_attr), - NULL)) { + wlan_hdd_set_roam_param_policy)) { hddLog(LOGE, FL("nla_parse failed")); goto fail; } @@ -2024,7 +2067,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, nla_data(curr_attr), nla_len(curr_attr), - NULL)) { + wlan_hdd_set_roam_param_policy)) { hddLog(LOGE, FL("nla_parse failed")); goto fail; } @@ -2086,7 +2129,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy, if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX, nla_data(curr_attr), nla_len(curr_attr), - NULL)) { + wlan_hdd_set_roam_param_policy)) { hddLog(LOGE, FL("nla_parse failed")); goto fail; }