From ed6814c11abf9f96d4060b2825c50842ef83bdba Mon Sep 17 00:00:00 2001 From: Jeff Johnson Date: Tue, 6 Jun 2017 08:56:33 -0700 Subject: [PATCH] qcacld-2.0: Avoid extscan bucket spec overread Currently in hdd_extscan_start_fill_bucket_channel_spec() the QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC attribute is parsed without specifying a policy. This means that no policy is enforced. Subsequently the values of the nested attributes are retrieved, but again without any length limits enforced. This could result in a buffer overread. To prevent this issue: * Parse using the existing policy wlan_hdd_extscan_config_policy * Update the policy to add missing attributes Bug: 36730104 Change-Id: I3b20cb28d1beccd2e804b022b531413ad1edb533 CRs-Fixed: 2057034 Signed-off-by: Ecco Park --- drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c index 5ca269bab9cf6..da139cf225ce2 100644 --- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -845,6 +845,9 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_ [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_LOST_AP_SAMPLE_SIZE] = { .type = NLA_U32 }, [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_MIN_BREACHING] = { .type = NLA_U32 }, [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP] = { .type = NLA_U32 }, + [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_MAX_PERIOD] = { .type = NLA_U32 }, + [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_BASE] = { .type = NLA_U32 }, + [QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC_STEP_COUNT] = { .type = NLA_U32 }, [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_THRESHOLD_PARAM_SSID] = { .type = NLA_BINARY, .len = IEEE80211_MAX_SSID_LEN + 1 }, [QCA_WLAN_VENDOR_ATTR_EXTSCAN_SSID_HOTLIST_PARAMS_LOST_SSID_SAMPLE_SIZE] = { .type = NLA_U32 }, @@ -3448,8 +3451,9 @@ static int hdd_extscan_start_fill_bucket_channel_spec( } if (nla_parse(bucket, - QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX, - nla_data(buckets), nla_len(buckets), NULL)) { + QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX, + nla_data(buckets), nla_len(buckets), + wlan_hdd_extscan_config_policy)) { hddLog(LOGE, FL("nla_parse failed")); return -EINVAL; }