DivestOS/Patches/Linux_CVEs/CVE-2017-9693/ANY/0.patch

From 41c47c76d3672de1a091b53878e1abad583b413d Mon Sep 17 00:00:00 2001
From: Srinivas Girigowda <sgirigow@codeaurora.org>
Date: Thu, 25 May 2017 15:16:36 -0700
Subject: [PATCH] qcacld-2.0: Trim extn capability to max supported in change
 station

extn capabilities can be controlled by user, which can
be sent greater than the max supported value. This results
in stack overflow in change station command.

Add check to validate extn capability param given by user
and if it exceeds max supported value, set it to max supported
value.

CRs-Fixed: 2044820
Change-Id: I531799dd06c41069e85ad969de6182363dbf9f05
Bug: 36817798
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
---
 drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
index 3580d2b73494b..0fd39f568de4d 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -14887,9 +14887,16 @@ static int __wlan_hdd_change_station(struct wiphy *wiphy,
             StaParams.supported_oper_classes_len  =
                                              params->supported_oper_classes_len;
 
+            if (params->ext_capab_len > sizeof(StaParams.extn_capability)) {
+                VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
+                          "received extn capabilities: %d, reset to max supported",
+                          params->ext_capab_len);
+                params->ext_capab_len = sizeof(StaParams.extn_capability);
+            }
+
             if (0 != params->ext_capab_len)
                 vos_mem_copy(StaParams.extn_capability, params->ext_capab,
-                             sizeof(StaParams.extn_capability));
+                             params->ext_capab_len);
 
             if (NULL != params->ht_capa) {
                 StaParams.htcap_present = 1;