mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
77 lines
2.6 KiB
Diff
77 lines
2.6 KiB
Diff
From e578706506f98a4962220066d92d81e853ac7212 Mon Sep 17 00:00:00 2001
|
|
From: Jeff Johnson <jjohnson@codeaurora.org>
|
|
Date: Tue, 29 Nov 2016 08:54:18 -0800
|
|
Subject: qcacld-3.0: Avoid overflow of "significant change" params
|
|
|
|
This is a qcacld-2.0 to qcacld-3.0 propagation.
|
|
|
|
The wlan driver supports the following vendor command:
|
|
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE
|
|
|
|
This command supplies a "number of APs" attribute as well as a list of
|
|
per-AP attributes. However there is no validation that the number of
|
|
APs provided won't overflow the destination buffer. In addition there
|
|
is no validation that the number of APs actually provided matches the
|
|
number of APs expected.
|
|
|
|
To address these issues:
|
|
* Verify that the expected number of APs doesn't exceed the maximum
|
|
allowed number of APs
|
|
* Verify that the actual number of APs supplied doesn't exceed the
|
|
expected number of APs
|
|
* Only process the actual number of supplied APs if it is less than
|
|
the expected number of APs.
|
|
|
|
Change-Id: I0513ffbc4a38f1d7ddbc0815d3618fc9a2ea4f77
|
|
CRs-Fixed: 1095009
|
|
---
|
|
core/hdd/src/wlan_hdd_ext_scan.c | 18 ++++++++++++++++++
|
|
1 file changed, 18 insertions(+)
|
|
|
|
diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
|
|
index 86a51f7..320ea3c 100644
|
|
--- a/core/hdd/src/wlan_hdd_ext_scan.c
|
|
+++ b/core/hdd/src/wlan_hdd_ext_scan.c
|
|
@@ -2320,6 +2320,13 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
|
|
pReqMsg->numAp =
|
|
nla_get_u32(tb
|
|
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SIGNIFICANT_CHANGE_PARAMS_NUM_AP]);
|
|
+ if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS) {
|
|
+ hdd_err("Number of AP %u exceeds max %u",
|
|
+ pReqMsg->numAp,
|
|
+ WLAN_EXTSCAN_MAX_SIGNIFICANT_CHANGE_APS);
|
|
+ goto fail;
|
|
+ }
|
|
+
|
|
pReqMsg->sessionId = pAdapter->sessionId;
|
|
hdd_notice("Number of AP %d Session Id %d",
|
|
pReqMsg->numAp, pReqMsg->sessionId);
|
|
@@ -2328,6 +2335,12 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
|
|
nla_for_each_nested(apTh,
|
|
tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM],
|
|
rem) {
|
|
+
|
|
+ if (i == pReqMsg->numAp) {
|
|
+ hdd_warn("Ignoring excess AP");
|
|
+ break;
|
|
+ }
|
|
+
|
|
if (nla_parse
|
|
(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
|
|
nla_data(apTh), nla_len(apTh),
|
|
@@ -2372,6 +2385,11 @@ __wlan_hdd_cfg80211_extscan_set_significant_change(struct wiphy *wiphy,
|
|
|
|
i++;
|
|
}
|
|
+ if (i < pReqMsg->numAp) {
|
|
+ hdd_warn("Number of AP %u less than expected %u",
|
|
+ i, pReqMsg->numAp);
|
|
+ pReqMsg->numAp = i;
|
|
+ }
|
|
|
|
context = &ext_scan_context;
|
|
spin_lock(&context->context_lock);
|
|
--
|
|
cgit v1.1
|
|
|