DivestOS/Patches/Linux_CVEs/CVE-2016-0844/ANY/0001.patch
2017-11-07 17:32:46 -05:00

61 lines
2.3 KiB
Diff

From 90a9da2ea95e86b4f0ff493cd891a11da0ee67aa Mon Sep 17 00:00:00 2001
From: Skylar Chang <chiaweic@codeaurora.org>
Date: Tue, 29 Dec 2015 18:50:34 -0800
Subject: msm: ipa: fix the mux_channel buffer overflow
Add the check on ipa wan-driver to check if
receiving more than MAX_NUM_OF_MUX_CHANNEL times
different RMNET_IOCTL_ADD_MUX_CHANNEL ioctls
from netmgrd.
CRs-Fixed: 956393
Change-Id: Ic8890b084a8da69fdcf54541e82f6e4961492ce1
Signed-off-by: Skylar Chang <chiaweic@codeaurora.org>
---
drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c | 7 ++++++-
drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c | 6 ++++++
2 files changed, 12 insertions(+), 1 deletion(-)
diff --git a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
index e30d6d1..f3b883e 100644
--- a/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v2/rmnet_ipa.c
@@ -1,4 +1,4 @@
-/* Copyright (c) 2014-2015, The Linux Foundation. All rights reserved.
+/* Copyright (c) 2014-2016, The Linux Foundation. All rights reserved.
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 and
@@ -1366,6 +1366,11 @@ static int ipa_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
rmnet_mux_val.mux_id);
return rc;
}
+ if (rmnet_index >= MAX_NUM_OF_MUX_CHANNEL) {
+ IPAWANERR("Exceed mux_channel limit(%d)\n",
+ rmnet_index);
+ return -EFAULT;
+ }
IPAWANDBG("ADD_MUX_CHANNEL(%d, name: %s)\n",
extend_ioctl_data.u.rmnet_mux_val.mux_id,
extend_ioctl_data.u.rmnet_mux_val.vchannel_name);
diff --git a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
index 9697590..2c3e18e 100644
--- a/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
+++ b/drivers/platform/msm/ipa/ipa_v3/rmnet_ipa.c
@@ -1382,6 +1382,12 @@ static int ipa3_wwan_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd)
rmnet_mux_val.mux_id);
return rc;
}
+ if (rmnet_ipa3_ctx->rmnet_index
+ >= MAX_NUM_OF_MUX_CHANNEL) {
+ IPAWANERR("Exceed mux_channel limit(%d)\n",
+ rmnet_ipa3_ctx->rmnet_index);
+ return -EFAULT;
+ }
IPAWANDBG("ADD_MUX_CHANNEL(%d, name: %s)\n",
extend_ioctl_data.u.rmnet_mux_val.mux_id,
extend_ioctl_data.u.rmnet_mux_val.vchannel_name);
--
cgit v1.1