From 3afb019c44d750086f8d5228f8c934da2910d8df Mon Sep 17 00:00:00 2001
From: gwx419604 <gwx419604@notesmail.huawei.com>
Date: Mon, 20 Mar 2017 15:11:22 +0800
Subject: [PATCH] net: wireless: bcmdhd: fix buffer overrun in
 dhd_pno_process_anqpo_result

CVE-2017-0572

added boundary check not to overflow buffer
especially when input parameters manipulated.


Bug: 34198931
Change-Id: I39d7dc38a597a938d37dbd7bb267a7ff4df93e45
Signed-off-by: Insun Song <insun.song@broadcom.com>
Signed-off-by: gwx419604 <gwx419604@notesmail.huawei.com>
---
 drivers/net/wireless/bcmdhd/dhd_pno.c | 21 +++++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
index f3f2a6f2e7aac..ab9bede10e30d 100644
--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
@@ -3631,8 +3631,8 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
 	u32 bi_length = 0;
 	uint8 channel;
 	uint32 mem_needed;
-
 	struct timespec ts;
+	wl_event_gas_t *gas_data;
 
 	*size = 0;
 
@@ -3653,9 +3653,22 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
 		DHD_ERROR(("Invalid bss_info length %d: ignoring\n", bi_length));
 		goto exit;
 	}
-	if (bi->SSID_len > DOT11_MAX_SSID_LEN) {
-		DHD_ERROR(("Invalid SSID length %d: trimming it to max\n", bi->SSID_len));
-		bi->SSID_len = DOT11_MAX_SSID_LEN;
+	if ((bi->SSID_len > DOT11_MAX_SSID_LEN)||
+		(bi->ie_length > (*size - sizeof(wl_bss_info_t))) ||
+		(bi->ie_offset < sizeof(wl_bss_info_t)) ||
+		(bi->ie_offset > (sizeof(wl_bss_info_t) + bi->ie_length))){
+		DHD_ERROR(("%s: tot:%d,SSID:%d,ie_len:%d,ie_off:%d\n",
+			__FUNCTION__, *size, bi->SSID_len,
+			bi->ie_length, bi->ie_offset));
+		return NULL;
+	}
+
+	gas_data = (wl_event_gas_t *)((uint8 *)data + bi->ie_offset + bi->ie_length);
+
+	if (gas_data->data_len > (*size - (bi->ie_offset + bi->ie_length))) {
+		DHD_ERROR(("%s: wrong gas_data_len:%d\n",
+			__FUNCTION__, gas_data->data_len));
+		return NULL;
 	}
 
 	mem_needed = OFFSETOF(wifi_gscan_result_t, ie_data) + bi->ie_length;