mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-20 21:34:24 -05:00
89 lines
3.4 KiB
Diff
89 lines
3.4 KiB
Diff
From 10f0051f7b3b9a7635b0762a8cf102f595f7a268 Mon Sep 17 00:00:00 2001
|
|
From: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
Date: Wed, 30 Nov 2016 12:27:44 -0800
|
|
Subject: qcacld-2.0: Avoid overflow of "set_bssid_hotlist" params
|
|
|
|
The wlan driver supports the following vendor command:
|
|
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST
|
|
|
|
This command supplies a "number of APs" attribute as well as a list of
|
|
per-AP attributes. However there is no validation that the number of
|
|
APs provided won't overflow the destination buffer. In addition there
|
|
is no validation that the number of APs actually provided matches the
|
|
number of APs expected.
|
|
|
|
To address these issues:
|
|
* Verify that the expected number of APs doesn't exceed the maximum
|
|
allowed number of APs
|
|
* Verify that the actual number of APs supplied doesn't exceed the
|
|
expected number of APs
|
|
* Only process the actual number of supplied APs if it is less than
|
|
the expected number of APs.
|
|
|
|
Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
|
|
CRs-Fixed: 1095770
|
|
---
|
|
CORE/HDD/src/wlan_hdd_cfg80211.c | 16 ++++++++++++++++
|
|
CORE/SERVICES/WMA/wma.c | 4 ++--
|
|
2 files changed, 18 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
index d91859f..1991204 100644
|
|
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
@@ -2893,6 +2893,11 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
|
|
}
|
|
pReqMsg->numAp = nla_get_u32(
|
|
tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_NUM_AP]);
|
|
+ if (pReqMsg->numAp > WLAN_EXTSCAN_MAX_HOTLIST_APS) {
|
|
+ hddLog(LOGE, FL("Number of AP: %u exceeds max: %u"),
|
|
+ pReqMsg->numAp, WLAN_EXTSCAN_MAX_HOTLIST_APS);
|
|
+ goto fail;
|
|
+ }
|
|
hddLog(LOG1, FL("Number of AP %d"), pReqMsg->numAp);
|
|
|
|
/* Parse and fetch lost ap sample size */
|
|
@@ -2911,6 +2916,11 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
|
|
i = 0;
|
|
nla_for_each_nested(apTh,
|
|
tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) {
|
|
+ if (i == pReqMsg->numAp) {
|
|
+ hddLog(LOGW, FL("Ignoring excess AP"));
|
|
+ break;
|
|
+ }
|
|
+
|
|
if (nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
|
|
nla_data(apTh), nla_len(apTh),
|
|
wlan_hdd_extscan_config_policy)) {
|
|
@@ -2949,6 +2959,12 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
|
|
i++;
|
|
}
|
|
|
|
+ if (i < pReqMsg->numAp) {
|
|
+ hddLog(LOGW, FL("Number of AP %u less than expected %u"),
|
|
+ i, pReqMsg->numAp);
|
|
+ pReqMsg->numAp = i;
|
|
+ }
|
|
+
|
|
context = &pHddCtx->ext_scan_context;
|
|
spin_lock(&hdd_context_lock);
|
|
INIT_COMPLETION(context->response_event);
|
|
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
|
|
index 2cf66bf..8ab1d2d 100644
|
|
--- a/CORE/SERVICES/WMA/wma.c
|
|
+++ b/CORE/SERVICES/WMA/wma.c
|
|
@@ -28633,8 +28633,8 @@ VOS_STATUS wma_get_buf_extscan_hotlist_cmd(tp_wma_handle wma_handle,
|
|
/* setbssid hotlist expects the bssid list
|
|
* to be non zero value
|
|
*/
|
|
- if (!numap) {
|
|
- WMA_LOGE("%s: Invalid number of bssid's", __func__);
|
|
+ if ((numap <= 0) || (numap > WLAN_EXTSCAN_MAX_HOTLIST_APS)) {
|
|
+ WMA_LOGE("%s: Invalid number of APs: %d", __func__, numap);
|
|
return VOS_STATUS_E_INVAL;
|
|
}
|
|
num_entries = wma_get_hotlist_entries_per_page(wma_handle->wmi_handle,
|
|
--
|
|
cgit v1.1
|
|
|