Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-07-08 20:31:57 +00:00
Code Issues Packages Projects Releases Wiki Activity
86c2d7a648
DivestOS/Patches/Linux_CVEs/CVE-2015-0570/2.patch

186 lines
8.2 KiB
Diff
Raw Blame History

From 255dd931573beb3afca15909f483f26db22a5c98 Mon Sep 17 00:00:00 2001
From: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
Date: Wed, 28 Oct 2015 20:58:02 -0700
Subject: [PATCH] qcacld 2.0: Validate ioctls for valid input length
prima to qcacld-2.0 propagation
Return failure to applications if ioctl is invoked with arguments
of improper length.
CRs-Fixed: 930542
Git-commit: 8bd73c3452ab22ba9bdbaac5ab12de2ed25fcb9d
Bug: 25344453
Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
---
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c | 62 +++++++++++++++++-----
1 file changed, 48 insertions(+), 14 deletions(-)
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
index 1f56db21d64dd..51ee5474a53d1 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -3880,6 +3880,7 @@ static int iw_softap_setwpsie(struct net_device *dev,
u_int8_t WPSIeType;
u_int16_t length;
struct iw_point s_priv_data;
+ int ret = 0;
ENTER();
@@ -3925,9 +3926,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
case DOT11F_EID_WPA:
if (wps_genie[1] < 2 + 4)
{
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
{
@@ -3985,6 +3985,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
pos += length;
@@ -3999,9 +4004,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
default:
hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
}
}
@@ -4013,9 +4017,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
default:
hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return 0;
+ ret = -EINVAL;
+ goto exit;
}
}
else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
@@ -4027,9 +4030,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
case DOT11F_EID_WPA:
if (wps_genie[1] < 2 + 4)
{
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
{
@@ -4093,6 +4095,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
pos += length;
@@ -4102,6 +4109,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
@@ -4112,6 +4124,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
@@ -4121,6 +4138,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
@@ -4130,6 +4152,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
@@ -4153,6 +4180,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
pos += length;
@@ -4189,6 +4221,8 @@ static int iw_softap_setwpsie(struct net_device *dev,
#else
halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
#endif
+ if (halStatus != eHAL_STATUS_SUCCESS)
+ ret = -EINVAL;
pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
{
@@ -4200,11 +4234,11 @@ static int iw_softap_setwpsie(struct net_device *dev,
WLANSAP_Update_WpsIe ( pVosContext );
#endif
}
-
+exit:
vos_mem_free(pSap_WPSIe);
kfree(fwps_genie);
EXIT();
- return halStatus;
+ return ret;
}
static int iw_softap_stopbss(struct net_device *dev,
Reference in New Issue View Git Blame Copy Permalink