mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-12 01:14:22 -05:00
127 lines
4.3 KiB
Diff
127 lines
4.3 KiB
Diff
From a4c5eefd5dd761445784963f3b6605d24d2bc3af Mon Sep 17 00:00:00 2001
|
|
From: Jeff Johnson <jjohnson@codeaurora.org>
|
|
Date: Tue, 29 Nov 2016 07:22:08 -0800
|
|
Subject: qcacld-3.0: Avoid overflow of roam subcmd params
|
|
|
|
This is a qcacld-2.0 to qcacld-3.0 propagation.
|
|
|
|
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
|
|
command, for the following roam commands there are input validation
|
|
issues:
|
|
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
|
|
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
|
|
|
|
Both of these commands have a "number of BSSIDs" attribute as well as a
|
|
list of BSSIDs. However there is no validation that the number of
|
|
BSSIDs provided won't overflow the destination buffer. In addition
|
|
there is no validation that the number of BSSIDs actually provided
|
|
matches the number of BSSIDs expected.
|
|
|
|
To address these issues, for the above mentioned commands:
|
|
* Verify that the expected number of BSSIDs doesn't exceed the maximum
|
|
allowed number of BSSIDs
|
|
* Verify that the actual number of BSSIDs supplied doesn't exceed the
|
|
expected number of BSSIDs
|
|
* Only process the actual number of supplied BSSIDs if it is less than
|
|
the expected number of BSSIDs.
|
|
|
|
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
|
|
CRs-Fixed: 1092497
|
|
---
|
|
core/hdd/src/wlan_hdd_cfg80211.c | 41 ++++++++++++++++++++++++++++++++++------
|
|
1 file changed, 35 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
|
|
index 169629a..c457140 100644
|
|
--- a/core/hdd/src/wlan_hdd_cfg80211.c
|
|
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
|
|
@@ -2339,6 +2339,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
|
|
int rem, i;
|
|
uint32_t buf_len = 0;
|
|
+ uint32_t count;
|
|
int ret;
|
|
|
|
ENTER_DEV(dev);
|
|
@@ -2509,14 +2510,24 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
hdd_err("attr num of preferred bssid failed");
|
|
goto fail;
|
|
}
|
|
- roam_params.num_bssid_favored = nla_get_u32(
|
|
+ count = nla_get_u32(
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
|
|
- hdd_debug("Num of Preferred BSSID (%d)",
|
|
- roam_params.num_bssid_favored);
|
|
+ if (count > MAX_BSSID_FAVORED) {
|
|
+ hdd_err("Preferred BSSID count %u exceeds max %u",
|
|
+ count, MAX_BSSID_FAVORED);
|
|
+ goto fail;
|
|
+ }
|
|
+ hdd_debug("Num of Preferred BSSID (%d)", count);
|
|
i = 0;
|
|
nla_for_each_nested(curr_attr,
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
|
|
rem) {
|
|
+
|
|
+ if (i == count) {
|
|
+ hdd_warn("Ignoring excess Preferred BSSID");
|
|
+ break;
|
|
+ }
|
|
+
|
|
if (nla_parse(tb2,
|
|
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
|
|
nla_data(curr_attr), nla_len(curr_attr),
|
|
@@ -2545,6 +2556,10 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
roam_params.bssid_favored_factor[i]);
|
|
i++;
|
|
}
|
|
+ if (i < count)
|
|
+ hdd_warn("Num Preferred BSSID %u less than expected %u",
|
|
+ i, count);
|
|
+ roam_params.num_bssid_favored = i;
|
|
sme_update_roam_params(pHddCtx->hHal, session_id,
|
|
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
|
|
break;
|
|
@@ -2554,14 +2569,24 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
hdd_err("attr num of blacklist bssid failed");
|
|
goto fail;
|
|
}
|
|
- roam_params.num_bssid_avoid_list = nla_get_u32(
|
|
+ count = nla_get_u32(
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
|
|
- hdd_debug("Num of blacklist BSSID (%d)",
|
|
- roam_params.num_bssid_avoid_list);
|
|
+ if (count > MAX_BSSID_AVOID_LIST) {
|
|
+ hdd_err("Blacklist BSSID count %u exceeds max %u",
|
|
+ count, MAX_BSSID_AVOID_LIST);
|
|
+ goto fail;
|
|
+ }
|
|
+ hdd_debug("Num of blacklist BSSID (%d)", count);
|
|
i = 0;
|
|
nla_for_each_nested(curr_attr,
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
|
|
rem) {
|
|
+
|
|
+ if (i == count) {
|
|
+ hdd_warn("Ignoring excess Blacklist BSSID");
|
|
+ break;
|
|
+ }
|
|
+
|
|
if (nla_parse(tb2,
|
|
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
|
|
nla_data(curr_attr), nla_len(curr_attr),
|
|
@@ -2582,6 +2607,10 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
roam_params.bssid_avoid_list[i].bytes));
|
|
i++;
|
|
}
|
|
+ if (i < count)
|
|
+ hdd_warn("Num Blacklist BSSID %u less than expected %u",
|
|
+ i, count);
|
|
+ roam_params.num_bssid_avoid_list = i;
|
|
sme_update_roam_params(pHddCtx->hHal, session_id,
|
|
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
|
|
break;
|
|
--
|
|
cgit v1.1
|
|
|