mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
99 lines
3.4 KiB
Diff
99 lines
3.4 KiB
Diff
From a4f790c140d9813c3af66a9b367b4568e053278a Mon Sep 17 00:00:00 2001
|
|
From: Ashish Kumar Goswami <agoswa@codeaurora.org>
|
|
Date: Fri, 23 Dec 2016 13:20:45 +0530
|
|
Subject: qcacld-2.0: Avoid integer overflow in wma_enable_arp_ns_offload
|
|
|
|
In the function wma_enable_arp_ns_offload(), the len variable is
|
|
defined as signed 32 bit, whereas wmi_buf_alloc() takes unsigned
|
|
16 bit as input also there is no limit on input of
|
|
num_ns_offload_count.
|
|
|
|
Fix is to define the len variable in wma_enable_arp_ns_offload()
|
|
as unsigned 32 bit. The length input for wmi_buf_alloc() is also
|
|
extended and re-defined as unsigned 32 bit. Add limit check before
|
|
using num_ns_offload_count.
|
|
|
|
Change-Id: I5063df9551074e964eef67abeb8afcf104e50808
|
|
CRs-Fixed: 1103099
|
|
---
|
|
CORE/SERVICES/COMMON/wmi_unified_api.h | 4 ++--
|
|
CORE/SERVICES/WMA/wma.c | 9 +++++++--
|
|
CORE/SERVICES/WMI/wmi_unified.c | 4 ++--
|
|
3 files changed, 11 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/CORE/SERVICES/COMMON/wmi_unified_api.h b/CORE/SERVICES/COMMON/wmi_unified_api.h
|
|
index cd9f923..2912d47 100644
|
|
--- a/CORE/SERVICES/COMMON/wmi_unified_api.h
|
|
+++ b/CORE/SERVICES/COMMON/wmi_unified_api.h
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2013-2014 The Linux Foundation. All rights reserved.
|
|
+ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
|
|
*
|
|
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
|
*
|
|
@@ -69,7 +69,7 @@ wmi_unified_remove_work(struct wmi_unified* wmi_handle);
|
|
* @return wmi_buf_t.
|
|
*/
|
|
wmi_buf_t
|
|
-wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len);
|
|
+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len);
|
|
|
|
|
|
/**
|
|
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
|
|
index f09c8fd..c802405 100644
|
|
--- a/CORE/SERVICES/WMA/wma.c
|
|
+++ b/CORE/SERVICES/WMA/wma.c
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2013-2016 The Linux Foundation. All rights reserved.
|
|
+ * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
|
|
*
|
|
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
|
*
|
|
@@ -22719,7 +22719,7 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma, tpSirHostOffloadR
|
|
WMI_ARP_OFFLOAD_TUPLE *arp_tuple;
|
|
A_UINT8* buf_ptr;
|
|
wmi_buf_t buf;
|
|
- int32_t len;
|
|
+ uint32_t len;
|
|
u_int8_t vdev_id;
|
|
uint32_t count = 0, num_ns_ext_tuples = 0;
|
|
|
|
@@ -22740,6 +22740,11 @@ static VOS_STATUS wma_enable_arp_ns_offload(tp_wma_handle wma, tpSirHostOffloadR
|
|
if (!bArpOnly)
|
|
count = pHostOffloadParams->num_ns_offload_count;
|
|
|
|
+ if (count >= SIR_MAC_NUM_TARGET_IPV6_NS_OFFLOAD_NA) {
|
|
+ vos_mem_free(pHostOffloadParams);
|
|
+ return VOS_STATUS_E_FAILURE;
|
|
+ }
|
|
+
|
|
len = sizeof(WMI_SET_ARP_NS_OFFLOAD_CMD_fixed_param) +
|
|
WMI_TLV_HDR_SIZE + // TLV place holder size for array of NS tuples
|
|
WMI_MAX_NS_OFFLOADS*sizeof(WMI_NS_OFFLOAD_TUPLE) +
|
|
diff --git a/CORE/SERVICES/WMI/wmi_unified.c b/CORE/SERVICES/WMI/wmi_unified.c
|
|
index 463a324..c0663d3 100644
|
|
--- a/CORE/SERVICES/WMI/wmi_unified.c
|
|
+++ b/CORE/SERVICES/WMI/wmi_unified.c
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- * Copyright (c) 2014-2016 The Linux Foundation. All rights reserved.
|
|
+ * Copyright (c) 2014-2017 The Linux Foundation. All rights reserved.
|
|
*
|
|
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
|
*
|
|
@@ -131,7 +131,7 @@ uint16_t wmi_get_max_msg_len(wmi_unified_t wmi_handle)
|
|
}
|
|
|
|
wmi_buf_t
|
|
-wmi_buf_alloc(wmi_unified_t wmi_handle, u_int16_t len)
|
|
+wmi_buf_alloc(wmi_unified_t wmi_handle, uint32_t len)
|
|
{
|
|
wmi_buf_t wmi_buf;
|
|
|
|
--
|
|
cgit v1.1
|
|
|