DivestOS/Patches/Linux_CVEs/CVE-2017-11061/qcacld-2.0/0001.patch
2017-11-07 18:55:10 -05:00

111 lines
4.0 KiB
Diff

From e08628a3cfe039bc4bdd7fc66f5ec7a59a97b404 Mon Sep 17 00:00:00 2001
From: Ravi Kumar Bokka <brkum@codeaurora.org>
Date: Mon, 12 Jun 2017 21:34:30 +0530
Subject: qcacld-2.0: Validate vendor set roaming params command
Currently there is no nl policy defined for vendor sub command
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX which may result in
buffer overread error.
To resolve this, add nl policy.
Change-Id: Ib5d3c34dbcec29a98766753efc4e9c4ecf748c2e
CRs-Fixed: 2059701
---
CORE/HDD/src/wlan_hdd_cfg80211.c | 51 ++++++++++++++++++++++++++++++++++++----
1 file changed, 47 insertions(+), 4 deletions(-)
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 57ba680..313de1e 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -1870,6 +1870,49 @@ wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
return ret;
}
+#define MAX_ROAMING_PARAM \
+ QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX
+
+static const struct nla_policy
+wlan_hdd_set_roam_param_policy[MAX_ROAMING_PARAM + 1] = {
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_SUBCMD] = {.type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_REQ_ID] = {.type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID_NUM_NETWORKS] = {
+ .type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID_LIST] = {
+ .type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_WHITE_LIST_SSID] = {
+ .type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_BOOST_THRESHOLD] = {
+ .type = NLA_S32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_PENALTY_THRESHOLD] = {
+ .type = NLA_S32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_BOOST_FACTOR] = {
+ .type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_PENALTY_FACTOR] = {
+ .type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_A_BAND_MAX_BOOST] = {
+ .type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_LAZY_ROAM_HISTERESYS] = {
+ .type = NLA_S32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_ALERT_ROAM_RSSI_TRIGGER] = {
+ .type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_ENABLE] = {
+ .type = NLA_S32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID] = {
+ .type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_BSSID] = {
+ .type = NLA_BINARY,
+ .len = MAC_ADDRESS_STR_LEN},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_RSSI_MODIFIER] = {
+ .type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID] = {
+ .type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_BSSID] = {
+ .type = NLA_BINARY,
+ .len = MAC_ADDRESS_STR_LEN},
+};
+
static int
__wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
struct wireless_dev *wdev,
@@ -1901,7 +1944,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
data, data_len,
- NULL)) {
+ wlan_hdd_set_roam_param_policy)) {
hddLog(LOGE, FL("Invalid ATTR"));
return -EINVAL;
}
@@ -1940,7 +1983,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_MAX,
nla_data(curr_attr), nla_len(curr_attr),
- NULL)) {
+ wlan_hdd_set_roam_param_policy)) {
hddLog(LOGE, FL("nla_parse failed"));
goto fail;
}
@@ -2104,7 +2147,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
- NULL)) {
+ wlan_hdd_set_roam_param_policy)) {
hddLog(LOGE, FL("nla_parse failed"));
goto fail;
}
@@ -2166,7 +2209,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
- NULL)) {
+ wlan_hdd_set_roam_param_policy)) {
hddLog(LOGE, FL("nla_parse failed"));
goto fail;
}
--
cgit v1.1