From e55ddf68568a33288d76f5e00c93f8157cb9a632 Mon Sep 17 00:00:00 2001
From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Date: Fri, 27 Jan 2017 17:14:19 -0800
Subject: [PATCH] net: wireless: bcmdhd: Fix for arbitrary memory free.

Fix for arbitrary memory free in nexus6p's wifi driver
function wl_cfgvendor_dbg_get_mem_dump. Current fix
includes intialize mem_buf to NULL and check if the
len is valid or not. Also check if buf_len is valid
or not. If buf_len is not valid then mem_buf will be
set to NULL.

Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>

Change-Id: Ia98ce18f0437d38d6f6d77033af7477ae12574e3
Bug: 34624457
---
 drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 29 ++++++++++++++++++++++++++---
 1 file changed, 26 insertions(+), 3 deletions(-)

diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
index 9a73de20f1298..1f5152f66ab36 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
@@ -2283,7 +2283,7 @@ static int wl_cfgvendor_dbg_get_mem_dump(struct wiphy *wiphy,
 	int buf_len = 0;
 	void __user *user_buf = NULL;
 	const struct nlattr *iter;
-	char *mem_buf;
+	char *mem_buf = NULL;
 	struct sk_buff *skb;
 	struct bcm_cfg80211 *cfg = wiphy_priv(wiphy);
 
@@ -2291,10 +2291,33 @@ static int wl_cfgvendor_dbg_get_mem_dump(struct wiphy *wiphy,
 		type = nla_type(iter);
 		switch (type) {
 			case DEBUG_ATTRIBUTE_FW_DUMP_LEN:
-				buf_len = nla_get_u32(iter);
+				/* Check if the iter is valid and
+				 * buffer length is not already initialized.
+				 */
+				if ((nla_len(iter) == sizeof(uint32)) &&
+					!buf_len) {
+					buf_len = nla_get_u32(iter);
+					if (buf_len <= 0) {
+						ret = BCME_ERROR;
+						goto exit;
+					}
+				} else {
+					ret = BCME_ERROR;
+					goto exit;
+				}
 				break;
 			case DEBUG_ATTRIBUTE_FW_DUMP_DATA:
-				user_buf = (void __user *)(unsigned long) nla_get_u64(iter);
+				if (nla_len(iter) != sizeof(uint64)) {
+					WL_ERR(("Invalid len\n"));
+					ret = BCME_ERROR;
+					goto exit;
+				}
+				user_buf =
+				(void __user *)(unsigned long)nla_get_u64(iter);
+				if (!user_buf) {
+					ret = BCME_ERROR;
+					goto exit;
+				}
 				break;
 			default:
 				WL_ERR(("Unknown type: %d\n", type));