From 954bdf216ce56a860092fd9549229b036e08c97b Mon Sep 17 00:00:00 2001 From: Ashish Kumar Dhanotiya Date: Tue, 13 Jun 2017 18:41:49 +0530 Subject: qcacld-2.0: Validate vendor command do_acs Currently attributes are not validated in __wlan_hdd_cfg80211_do_acs, this can lead to a buffer overread. To resolve this issue, Define an nla_policy and validate the attributes. CRs-Fixed: 2058448 Change-Id: Ic1bd5abbef09407f925625b709f10cf9cb7c3d7f --- CORE/HDD/src/wlan_hdd_cfg80211.c | 27 +++++++++++++-------------- 1 file changed, 13 insertions(+), 14 deletions(-) diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c index 2ec3d68..c87f7c0 100644 --- a/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -9170,9 +9170,20 @@ static void wlan_hdd_set_mcc_to_scc_switch(hdd_adapter_t *adapter) {} #endif +static const struct nla_policy +wlan_hdd_cfg80211_do_acs_policy[QCA_WLAN_VENDOR_ATTR_ACS_MAX+1] = { + [QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 }, + [QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG }, + [QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG }, + [QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG }, + [QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 }, + [QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_UNSPEC }, +}; + /** - * __wlan_hdd_cfg80211_do_acs : CFG80211 handler fucntion for DO_ACS Vendor CMD + * __wlan_hdd_cfg80211_do_acs() : CFG80211 handler fucntion for DO_ACS + * Vendor CMD * @wiphy: Linux wiphy struct pointer * @wdev: Linux wireless device struct pointer * @data: ACS information from hostapd @@ -9216,18 +9227,6 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy, * config shall be set only from start_acs. */ - /* nla_policy Policy template. Policy not applied as some attributes are - * optional and QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST has variable length - * - * [QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 }, - * [QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG }, - * [QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG }, - * [QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG }, - * [QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 }, - * [QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_NESTED }, - */ - - status = wlan_hdd_validate_context(hdd_ctx); if (0 != status) return status; @@ -9257,7 +9256,7 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy, vos_mem_zero(&sap_config->acs_cfg, sizeof(struct sap_acs_cfg)); status = nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ACS_MAX, data, data_len, - NULL); + wlan_hdd_cfg80211_do_acs_policy); if (status) { hddLog(VOS_TRACE_LEVEL_ERROR, FL("Invalid ATTR")); goto out; -- cgit v1.1