DivestOS/Patches/Linux_CVEs/CVE-2017-0443/ANY/0002.patch
2017-11-07 17:32:46 -05:00

127 lines
4.3 KiB
Diff

From a4c5eefd5dd761445784963f3b6605d24d2bc3af Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Tue, 29 Nov 2016 07:22:08 -0800
Subject: qcacld-3.0: Avoid overflow of roam subcmd params
This is a qcacld-2.0 to qcacld-3.0 propagation.
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
---
core/hdd/src/wlan_hdd_cfg80211.c | 41 ++++++++++++++++++++++++++++++++++------
1 file changed, 35 insertions(+), 6 deletions(-)
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
index 169629a..c457140 100644
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -2339,6 +2339,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
int rem, i;
uint32_t buf_len = 0;
+ uint32_t count;
int ret;
ENTER_DEV(dev);
@@ -2509,14 +2510,24 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hdd_err("attr num of preferred bssid failed");
goto fail;
}
- roam_params.num_bssid_favored = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
- hdd_debug("Num of Preferred BSSID (%d)",
- roam_params.num_bssid_favored);
+ if (count > MAX_BSSID_FAVORED) {
+ hdd_err("Preferred BSSID count %u exceeds max %u",
+ count, MAX_BSSID_FAVORED);
+ goto fail;
+ }
+ hdd_debug("Num of Preferred BSSID (%d)", count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
rem) {
+
+ if (i == count) {
+ hdd_warn("Ignoring excess Preferred BSSID");
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2545,6 +2556,10 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_favored_factor[i]);
i++;
}
+ if (i < count)
+ hdd_warn("Num Preferred BSSID %u less than expected %u",
+ i, count);
+ roam_params.num_bssid_favored = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
break;
@@ -2554,14 +2569,24 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hdd_err("attr num of blacklist bssid failed");
goto fail;
}
- roam_params.num_bssid_avoid_list = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
- hdd_debug("Num of blacklist BSSID (%d)",
- roam_params.num_bssid_avoid_list);
+ if (count > MAX_BSSID_AVOID_LIST) {
+ hdd_err("Blacklist BSSID count %u exceeds max %u",
+ count, MAX_BSSID_AVOID_LIST);
+ goto fail;
+ }
+ hdd_debug("Num of blacklist BSSID (%d)", count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
rem) {
+
+ if (i == count) {
+ hdd_warn("Ignoring excess Blacklist BSSID");
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2582,6 +2607,10 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_avoid_list[i].bytes));
i++;
}
+ if (i < count)
+ hdd_warn("Num Blacklist BSSID %u less than expected %u",
+ i, count);
+ roam_params.num_bssid_avoid_list = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
break;
--
cgit v1.1