DivestOS/Patches/Linux_CVEs/CVE-2017-0442/qcacld-2.0/0001.patch
2017-11-07 18:55:10 -05:00

129 lines
4.4 KiB
Diff

From 1f0b036dc74ccb6e9f0a03a540efdb0876f5ca77 Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Mon, 28 Nov 2016 09:19:02 -0800
Subject: qcacld-2.0: Avoid overflow of roam subcmd params
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
command, for the following roam commands there are input validation
issues:
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
Both of these commands have a "number of BSSIDs" attribute as well as a
list of BSSIDs. However there is no validation that the number of
BSSIDs provided won't overflow the destination buffer. In addition
there is no validation that the number of BSSIDs actually provided
matches the number of BSSIDs expected.
To address these issues, for the above mentioned commands:
* Verify that the expected number of BSSIDs doesn't exceed the maximum
allowed number of BSSIDs
* Verify that the actual number of BSSIDs supplied doesn't exceed the
expected number of BSSIDs
* Only process the actual number of supplied BSSIDs if it is less than
the expected number of BSSIDs.
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
CRs-Fixed: 1092497
---
CORE/HDD/src/wlan_hdd_cfg80211.c | 43 ++++++++++++++++++++++++++++++++++------
1 file changed, 37 insertions(+), 6 deletions(-)
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index b3c265c..800d123 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -1870,6 +1870,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
int rem, i;
uint32_t buf_len = 0;
+ uint32_t count;
int ret;
if (VOS_FTM_MODE == hdd_get_conparam()) {
@@ -2045,15 +2046,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of preferred bssid failed"));
goto fail;
}
- roam_params.num_bssid_favored = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
+ if (count > MAX_BSSID_FAVORED) {
+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_FAVORED);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of Preferred BSSID (%d)"),
- roam_params.num_bssid_favored);
+ FL("Num of Preferred BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2083,6 +2094,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_favored_factor[i]);
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Preferred BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_favored = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
break;
@@ -2092,15 +2108,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
hddLog(LOGE, FL("attr num of blacklist bssid failed"));
goto fail;
}
- roam_params.num_bssid_avoid_list = nla_get_u32(
+ count = nla_get_u32(
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
+ if (count > MAX_BSSID_AVOID_LIST) {
+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
+ count, MAX_BSSID_AVOID_LIST);
+ goto fail;
+ }
hddLog(VOS_TRACE_LEVEL_DEBUG,
- FL("Num of blacklist BSSID (%d)"),
- roam_params.num_bssid_avoid_list);
+ FL("Num of blacklist BSSID: %d"), count);
i = 0;
nla_for_each_nested(curr_attr,
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
rem) {
+
+ if (i == count) {
+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
+ break;
+ }
+
if (nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
nla_data(curr_attr), nla_len(curr_attr),
@@ -2121,6 +2147,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
roam_params.bssid_avoid_list[i]));
i++;
}
+ if (i < count)
+ hddLog(LOGW,
+ FL("Num Blacklist BSSID %u less than expected %u"),
+ i, count);
+ roam_params.num_bssid_avoid_list = i;
sme_update_roam_params(pHddCtx->hHal, session_id,
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
break;
--
cgit v1.1