mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
76 lines
3.1 KiB
Diff
76 lines
3.1 KiB
Diff
From 0160130f4217c782a7857588f668ab54fae21f58 Mon Sep 17 00:00:00 2001
|
|
From: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
Date: Wed, 9 Nov 2016 13:55:37 -0800
|
|
Subject: [PATCH] qcacld-2.0: Avoid overflow of EXTSCAN bucket list
|
|
|
|
Currently when processing an EXTSCAN vendor command the "num buckets"
|
|
attribute is limit checked and if it exceeds a MAX value then a
|
|
warning message is issued. But beyond that the "num buckets" attribute
|
|
is not used. Instead when the buckets are actually parsed the number
|
|
of buckets is calculated dynamically based upon the number of
|
|
attributes present in the request. Unfortunately when the bucket
|
|
attributes are parsed there is no check to make sure the number of
|
|
buckets processed does not exceed the MAX value, and as a result a
|
|
buffer overflow can occur. Address this issue by aborting the bucket
|
|
parsing once the expected number of records have been parsed.
|
|
|
|
Change-Id: Ic260dd65dc99118afbb8042d102acb5b26d1e123
|
|
CRs-Fixed: 1087797
|
|
Bug: 32451104
|
|
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
---
|
|
drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 13 ++++++++++++-
|
|
1 file changed, 12 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
index a22714874062e..e628b575350e4 100644
|
|
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
@@ -3525,6 +3525,7 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
|
|
int rem1, rem2;
|
|
eHalStatus status;
|
|
uint8_t bktIndex, j, numChannels, total_channels = 0;
|
|
+ uint32_t expected_buckets;
|
|
uint32_t chanList[WNI_CFG_VALID_CHANNEL_LIST_LEN] = {0};
|
|
|
|
uint32_t min_dwell_time_active_bucket =
|
|
@@ -3536,7 +3537,6 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
|
|
uint32_t max_dwell_time_passive_bucket =
|
|
pHddCtx->cfg_ini->extscan_passive_max_chn_time;
|
|
|
|
- bktIndex = 0;
|
|
pReqMsg->min_dwell_time_active =
|
|
pReqMsg->max_dwell_time_active =
|
|
pHddCtx->cfg_ini->extscan_active_max_chn_time;
|
|
@@ -3544,10 +3544,19 @@ static int hdd_extscan_start_fill_bucket_channel_spec(
|
|
pReqMsg->min_dwell_time_passive =
|
|
pReqMsg->max_dwell_time_passive =
|
|
pHddCtx->cfg_ini->extscan_passive_max_chn_time;
|
|
+
|
|
+ expected_buckets = pReqMsg->numBuckets;
|
|
pReqMsg->numBuckets = 0;
|
|
+ bktIndex = 0;
|
|
|
|
nla_for_each_nested(buckets,
|
|
tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC], rem1) {
|
|
+
|
|
+ if (bktIndex >= expected_buckets) {
|
|
+ hddLog(LOGW, FL("ignoring excess buckets"));
|
|
+ break;
|
|
+ }
|
|
+
|
|
if (nla_parse(bucket,
|
|
QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
|
|
nla_data(buckets), nla_len(buckets), NULL)) {
|
|
@@ -4058,8 +4067,10 @@ static int __wlan_hdd_cfg80211_extscan_start(struct wiphy *wiphy,
|
|
hddLog(LOGW,
|
|
FL("Exceeded MAX number of buckets: %d"),
|
|
WLAN_EXTSCAN_MAX_BUCKETS);
|
|
+ num_buckets = WLAN_EXTSCAN_MAX_BUCKETS;
|
|
}
|
|
hddLog(LOG1, FL("Input: Number of Buckets %d"), num_buckets);
|
|
+ pReqMsg->numBuckets = num_buckets;
|
|
|
|
/* This is optional attribute, if not present set it to 0 */
|
|
if (!tb[PARAM_CONFIG_FLAGS])
|