mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-09-16 06:22:26 +00:00
98 lines
3.5 KiB
Diff
98 lines
3.5 KiB
Diff
From 5204ea3cae1b07aad76d9d831e46dfaea492f488 Mon Sep 17 00:00:00 2001
|
|
From: Mukul Sharma <mukul@codeaurora.org>
|
|
Date: Mon, 19 Jun 2017 19:21:42 +0530
|
|
Subject: [PATCH] qcacld-2.0: Avoid buffer overread when parsing PNO commands
|
|
|
|
Propagation from qcacld-3.0 to qcacld-2.0
|
|
|
|
There are currently three issues which can result in a buffer overread
|
|
when processing PNO vendor commands:
|
|
1) __wlan_hdd_cfg80211_set_passpoint_list() specifies the wrong policy
|
|
when invoking nla_parse().
|
|
2) hdd_extscan_passpoint_fill_network_list() does not specify a policy
|
|
when invoking nla_parse().
|
|
3) __wlan_hdd_cfg80211_set_epno_list() specifies a policy but not all
|
|
of the attributes that are parsed are present in the policy.
|
|
To prevent buffer overread:
|
|
1) Update __wlan_hdd_cfg80211_set_passpoint_list() and
|
|
hdd_extscan_passpoint_fill_network_list() to use the policy
|
|
wlan_hdd_pno_config_policy.
|
|
2) Update wlan_hdd_pno_config_policy to contain all the fixed-length
|
|
attributes needed by __wlan_hdd_cfg80211_set_passpoint_list(),
|
|
hdd_extscan_passpoint_fill_network_list(), and
|
|
__wlan_hdd_cfg80211_set_epno_list().
|
|
|
|
Bug: 36817548
|
|
Bug: 36815952
|
|
Change-Id: I4a20e77ce87967ae78323b83a2aa9085fed2647f
|
|
CRs-Fixed: 2058447
|
|
Signed-off-by: Ecco Park <eccopark@google.com>
|
|
---
|
|
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 32 ++++++++++++++++++++--
|
|
1 file changed, 30 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
index 94b161e37a59a..c7d271f91ceb9 100644
|
|
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
@@ -857,6 +857,12 @@ wlan_hdd_extscan_config_policy[QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_
|
|
|
|
static const struct nla_policy
|
|
wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
|
|
+ [QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM] = {
|
|
+ .type = NLA_U32
|
|
+ },
|
|
+ [QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID] = {
|
|
+ .type = NLA_U32
|
|
+ },
|
|
[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = {
|
|
.type = NLA_U32
|
|
},
|
|
@@ -870,6 +876,27 @@ wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
|
|
[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = {
|
|
.type = NLA_U8
|
|
},
|
|
+ [QCA_WLAN_VENDOR_ATTR_EPNO_MIN5GHZ_RSSI] = {
|
|
+ .type = NLA_U32
|
|
+ },
|
|
+ [QCA_WLAN_VENDOR_ATTR_EPNO_MIN24GHZ_RSSI] = {
|
|
+ .type = NLA_U32
|
|
+ },
|
|
+ [QCA_WLAN_VENDOR_ATTR_EPNO_INITIAL_SCORE_MAX] = {
|
|
+ .type = NLA_U32
|
|
+ },
|
|
+ [QCA_WLAN_VENDOR_ATTR_EPNO_CURRENT_CONNECTION_BONUS] = {
|
|
+ .type = NLA_U32
|
|
+ },
|
|
+ [QCA_WLAN_VENDOR_ATTR_EPNO_SAME_NETWORK_BONUS] = {
|
|
+ .type = NLA_U32
|
|
+ },
|
|
+ [QCA_WLAN_VENDOR_ATTR_EPNO_SECURE_BONUS] = {
|
|
+ .type = NLA_U32
|
|
+ },
|
|
+ [QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS] = {
|
|
+ .type = NLA_U32
|
|
+ },
|
|
};
|
|
|
|
static const struct nla_policy
|
|
@@ -4696,7 +4723,8 @@ static int hdd_extscan_passpoint_fill_network_list(
|
|
|
|
if (nla_parse(network,
|
|
QCA_WLAN_VENDOR_ATTR_PNO_MAX,
|
|
- nla_data(networks), nla_len(networks), NULL)) {
|
|
+ nla_data(networks), nla_len(networks),
|
|
+ wlan_hdd_pno_config_policy)) {
|
|
hddLog(LOGE, FL("nla_parse failed"));
|
|
return -EINVAL;
|
|
}
|
|
@@ -4918,7 +4946,7 @@ static int __wlan_hdd_cfg80211_reset_passpoint_list(struct wiphy *wiphy,
|
|
}
|
|
|
|
if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX, data, data_len,
|
|
- wlan_hdd_extscan_config_policy)) {
|
|
+ wlan_hdd_pno_config_policy)) {
|
|
hddLog(LOGE, FL("Invalid ATTR"));
|
|
return -EINVAL;
|
|
}
|