DivestOS/Patches/Linux_CVEs/CVE-2016-8476/ANY/0.patch

From bfe8035bce6fec72ed1d064b94529fce8fb09799 Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Fri, 18 Nov 2016 08:04:08 -0800
Subject: qcacld-2.0: Validate "set passpoint list" network count

Currently when processing the "set passpoint list" vendor command the
"number of networks" parameter is not limit checked. This value is
subsequently used to calculate the size of a buffer. Add a limit check
to ensure that an appropriately sized buffer is always allocated.

Change-Id: Ibc2346b8a62898fc47e2d1efe457c57c08b0cada
CRs-Fixed: 1091940
---
 CORE/HDD/src/wlan_hdd_cfg80211.c | 7 ++++++-
 CORE/MAC/inc/sirApi.h            | 1 +
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 77a3ae9..a2ff8fe 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -5246,8 +5246,13 @@ static int __wlan_hdd_cfg80211_set_passpoint_list(struct wiphy *wiphy,
 	}
 	num_networks = nla_get_u32(
 		tb[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM]);
-	hddLog(LOG1, FL("num networks %u"), num_networks);
+	if (num_networks > SIR_PASSPOINT_LIST_MAX_NETWORKS) {
+		hddLog(LOGE, FL("num networks %u exceeds max %u"),
+		       num_networks, SIR_PASSPOINT_LIST_MAX_NETWORKS);
+		return -EINVAL;
+	}
 
+	hddLog(LOG1, FL("num networks %u"), num_networks);
 	req_msg = vos_mem_malloc(sizeof(*req_msg) +
 			(num_networks * sizeof(req_msg->networks[0])));
 	if (!req_msg) {
diff --git a/CORE/MAC/inc/sirApi.h b/CORE/MAC/inc/sirApi.h
index c5074d2..fd0adb2 100644
--- a/CORE/MAC/inc/sirApi.h
+++ b/CORE/MAC/inc/sirApi.h
@@ -5773,6 +5773,7 @@ struct wifi_epno_params
 	struct wifi_epno_network networks[];
 };
 
+#define SIR_PASSPOINT_LIST_MAX_NETWORKS 8
 #define SIR_PASSPOINT_REALM_LEN 256
 #define SIR_PASSPOINT_ROAMING_CONSORTIUM_ID_NUM 16
 #define SIR_PASSPOINT_PLMN_LEN 3
-- 
cgit v1.1