From 825eeb85d4866e362452b18df929a54a7c6111f6 Mon Sep 17 00:00:00 2001 From: Srinivas Girigowda Date: Mon, 10 Jul 2017 11:50:46 -0700 Subject: qcacld-2.0: Avoid concurrent matrix max param overread qcacld-3.0 to qcacld-2.0 propagation Currently there is no nl policy defined for vendor sub command QCA_NL80211_VENDOR_SUBCMD_GET_CONCURRENCY_MATRIX which may result in buffer overread error. To resolve this, add nl policy. Change-Id: I155efdbb07f1c5fe300bb2be0c2a3fe07c7e134b CRs-Fixed: 2058452 Bug: 37712167 Signed-off-by: Srinivas Girigowda --- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 24 ++++++++++++++++------ 1 file changed, 18 insertions(+), 6 deletions(-) diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c index 6d99f2d..13956f9 100644 --- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -1666,6 +1666,15 @@ wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy, return ret; } +#define MAX_CONCURRENT_MATRIX \ + QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX +#define MATRIX_CONFIG_PARAM_SET_SIZE_MAX \ + QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX +static const struct nla_policy +wlan_hdd_get_concurrency_matrix_policy[MAX_CONCURRENT_MATRIX + 1] = { + [MATRIX_CONFIG_PARAM_SET_SIZE_MAX] = {.type = NLA_U32}, +}; + static int __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy, struct wireless_dev *wdev, @@ -1674,7 +1683,7 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy, { uint32_t feature_set_matrix[WLAN_HDD_MAX_FEATURE_SET] = {0}; uint8_t i, feature_sets, max_feature_sets; - struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX + 1]; + struct nlattr *tb[MAX_CONCURRENT_MATRIX + 1]; struct sk_buff *reply_skb; hdd_context_t *hdd_ctx = wiphy_priv(wiphy); int ret; @@ -1690,19 +1699,19 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy, if (0 != ret) return ret; - if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX, - data, data_len, NULL)) { + if (nla_parse(tb, MAX_CONCURRENT_MATRIX, + data, data_len, wlan_hdd_get_concurrency_matrix_policy)) { hddLog(LOGE, FL("Invalid ATTR")); return -EINVAL; } /* Parse and fetch max feature set */ - if (!tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) { + if (!tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) { hddLog(LOGE, FL("Attr max feature set size failed")); return -EINVAL; } - max_feature_sets = nla_get_u32( - tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]); + + max_feature_sets = nla_get_u32(tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]); hddLog(LOG1, FL("Max feature set size: %d"), max_feature_sets); /* Fill feature combination matrix */ @@ -1744,6 +1753,9 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy, return -ENOMEM; } +#undef MAX_CONCURRENT_MATRIX +#undef MATRIX_CONFIG_PARAM_SET_SIZE_MAX + /** * wlan_hdd_cfg80211_get_concurrency_matrix() - get concurrency matrix * @wiphy: pointer to wireless wiphy structure. -- cgit v1.1