DivestOS/Patches/Linux_CVEs/CVE-2017-11062/qcacld-2.0/0001.patch
2017-11-07 18:55:10 -05:00

75 lines
2.8 KiB
Diff

From 954bdf216ce56a860092fd9549229b036e08c97b Mon Sep 17 00:00:00 2001
From: Ashish Kumar Dhanotiya <adhanoti@codeaurora.org>
Date: Tue, 13 Jun 2017 18:41:49 +0530
Subject: qcacld-2.0: Validate vendor command do_acs
Currently attributes are not validated in __wlan_hdd_cfg80211_do_acs,
this can lead to a buffer overread.
To resolve this issue, Define an nla_policy and validate the
attributes.
CRs-Fixed: 2058448
Change-Id: Ic1bd5abbef09407f925625b709f10cf9cb7c3d7f
---
CORE/HDD/src/wlan_hdd_cfg80211.c | 27 +++++++++++++--------------
1 file changed, 13 insertions(+), 14 deletions(-)
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 2ec3d68..c87f7c0 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -9170,9 +9170,20 @@ static void
wlan_hdd_set_mcc_to_scc_switch(hdd_adapter_t *adapter)
{}
#endif
+static const struct nla_policy
+wlan_hdd_cfg80211_do_acs_policy[QCA_WLAN_VENDOR_ATTR_ACS_MAX+1] = {
+ [QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 },
+ [QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG },
+ [QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG },
+ [QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG },
+ [QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 },
+ [QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_UNSPEC },
+};
+
/**
- * __wlan_hdd_cfg80211_do_acs : CFG80211 handler fucntion for DO_ACS Vendor CMD
+ * __wlan_hdd_cfg80211_do_acs() : CFG80211 handler fucntion for DO_ACS
+ * Vendor CMD
* @wiphy: Linux wiphy struct pointer
* @wdev: Linux wireless device struct pointer
* @data: ACS information from hostapd
@@ -9216,18 +9227,6 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy,
* config shall be set only from start_acs.
*/
- /* nla_policy Policy template. Policy not applied as some attributes are
- * optional and QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST has variable length
- *
- * [QCA_WLAN_VENDOR_ATTR_ACS_HW_MODE] = { .type = NLA_U8 },
- * [QCA_WLAN_VENDOR_ATTR_ACS_HT_ENABLED] = { .type = NLA_FLAG },
- * [QCA_WLAN_VENDOR_ATTR_ACS_HT40_ENABLED] = { .type = NLA_FLAG },
- * [QCA_WLAN_VENDOR_ATTR_ACS_VHT_ENABLED] = { .type = NLA_FLAG },
- * [QCA_WLAN_VENDOR_ATTR_ACS_CHWIDTH] = { .type = NLA_U16 },
- * [QCA_WLAN_VENDOR_ATTR_ACS_CH_LIST] = { .type = NLA_NESTED },
- */
-
-
status = wlan_hdd_validate_context(hdd_ctx);
if (0 != status)
return status;
@@ -9257,7 +9256,7 @@ static int __wlan_hdd_cfg80211_do_acs(struct wiphy *wiphy,
vos_mem_zero(&sap_config->acs_cfg, sizeof(struct sap_acs_cfg));
status = nla_parse(tb, QCA_WLAN_VENDOR_ATTR_ACS_MAX, data, data_len,
- NULL);
+ wlan_hdd_cfg80211_do_acs_policy);
if (status) {
hddLog(VOS_TRACE_LEVEL_ERROR, FL("Invalid ATTR"));
goto out;
--
cgit v1.1