DivestOS/Patches/Linux_CVEs/CVE-2017-0440/ANY/2.patch
2017-10-29 22:14:37 -04:00

97 lines
4.0 KiB
Diff

From 8fc2d90f0be55051ff2efa8d3fbea1097f910458 Mon Sep 17 00:00:00 2001
From: Srinivas Girigowda <sgirigow@codeaurora.org>
Date: Wed, 30 Nov 2016 19:21:30 -0800
Subject: [PATCH] qcacld-2.0: Avoid overflow of "set_bssid_hotlist" params
The wlan driver supports the following vendor command:
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST
This command supplies a "number of APs" attribute as well as a list of
per-AP attributes. However there is no validation that the number of
APs provided won't overflow the destination buffer. In addition there
is no validation that the number of APs actually provided matches the
number of APs expected.
To address these issues:
* Verify that the expected number of APs doesn't exceed the maximum
allowed number of APs
* Verify that the actual number of APs supplied doesn't exceed the
expected number of APs
* Only process the actual number of supplied APs if it is less than
the expected number of APs.
Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
CRs-Fixed: 1095770
Bug: 33252788
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
---
.../staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 16 ++++++++++++++++
drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c | 6 +++---
2 files changed, 19 insertions(+), 3 deletions(-)
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
index 301ef98c20d13..9ed9f6335834d 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -2752,6 +2752,11 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
}
pReqMsg->numAp = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_NUM_AP]);
+ if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_HOTLIST_APS) {
+ hddLog(LOGE, FL("Number of AP: %u exceeds max: %u"),
+ pReqMsg->numAp, WLAN_EXTSCAN_MAX_HOTLIST_APS);
+ goto fail;
+ }
hddLog(LOG1, FL("Number of AP %d"), pReqMsg->numAp);
/* Parse and fetch lost ap sample size */
@@ -2770,6 +2775,11 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
i = 0;
nla_for_each_nested(apTh,
tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) {
+ if (i == pReqMsg->numAp) {
+ hddLog(LOGW, FL("Ignoring excess AP"));
+ break;
+ }
+
if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
nla_data(apTh), nla_len(apTh),
wlan_hdd_extscan_config_policy)) {
@@ -2808,6 +2818,12 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
i++;
}
+ if (i < pReqMsg->numAp) {
+ hddLog(LOGW, FL("Number of AP %u less than expected %u"),
+ i, pReqMsg->numAp);
+ pReqMsg->numAp = i;
+ }
+
context = &pHddCtx->ext_scan_context;
spin_lock(&hdd_context_lock);
INIT_COMPLETION(context->response_event);
diff --git a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
index 53898a83d9d45..ec41442b4b240 100644
--- a/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
+++ b/drivers/staging/qcacld-2.0/CORE/SERVICES/WMA/wma.c
@@ -27091,7 +27091,7 @@ VOS_STATUS wma_get_buf_extscan_hotlist_cmd(tp_wma_handle wma_handle,
int cmd_len = 0;
int num_entries = 0;
int min_entries = 0;
- int numap = photlist->numAp;
+ uint32_t numap = photlist->numAp;
int len = sizeof(*cmd);
len += WMI_TLV_HDR_SIZE;
@@ -27100,8 +27100,8 @@ VOS_STATUS wma_get_buf_extscan_hotlist_cmd(tp_wma_handle wma_handle,
/* setbssid hotlist expects the bssid list
* to be non zero value
*/
- if (!numap) {
- WMA_LOGE("%s: Invalid number of bssid's", __func__);
+ if (!numap || (numap > WLAN_EXTSCAN_MAX_HOTLIST_APS)) {
+ WMA_LOGE("%s: Invalid number of APs: %d", __func__, numap);
return VOS_STATUS_E_INVAL;
}
num_entries = wma_get_hotlist_entries_per_page(wma_handle->wmi_handle,