mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 05:35:54 +00:00
72 lines
2.6 KiB
Diff
72 lines
2.6 KiB
Diff
From 054ce0761e900c5f63089393f8b6cadf17d55ade Mon Sep 17 00:00:00 2001
|
|
From: Hanumanth Reddy Pothula <c_hpothu@codeaurora.org>
|
|
Date: Fri, 27 Jan 2017 16:43:45 +0530
|
|
Subject: prima: Avoid overflow of "set_bssid_hotlist" params
|
|
|
|
qcacld2.0 to prima propgation
|
|
|
|
The wlan driver supports the following vendor command:
|
|
QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_BSSID_HOTLIST
|
|
|
|
This command supplies a "number of APs" attribute as well as a list of
|
|
per-AP attributes. However there is no validation that the number of
|
|
APs provided won't overflow the destination buffer. In addition there
|
|
is no validation that the number of APs actually provided matches the
|
|
number of APs expected.
|
|
|
|
To address these issues:
|
|
* Verify that the expected number of APs doesn't exceed the maximum
|
|
allowed number of APs
|
|
* Verify that the actual number of APs supplied doesn't exceed the
|
|
expected number of APs
|
|
* Only process the actual number of supplied APs if it is less than
|
|
the expected number of APs.
|
|
|
|
Change-Id: I41e36d11bc3e71928866a27afc2fbf046b59f0f5
|
|
CRs-Fixed: 1095770
|
|
---
|
|
CORE/HDD/src/wlan_hdd_cfg80211.c | 16 ++++++++++++++++
|
|
1 file changed, 16 insertions(+)
|
|
|
|
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
index 8aa38d1..f130174 100644
|
|
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
@@ -3764,10 +3764,20 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
|
|
|
|
pReqMsg->numBssid = nla_get_u32(
|
|
tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BSSID_HOTLIST_PARAMS_NUM_AP]);
|
|
+ if (pReqMsg->numBssid > WLAN_EXTSCAN_MAX_HOTLIST_APS) {
|
|
+ hddLog(LOGE, FL("Number of AP: %u exceeds max: %u"),
|
|
+ pReqMsg->numBssid, WLAN_EXTSCAN_MAX_HOTLIST_APS);
|
|
+ goto fail;
|
|
+ }
|
|
hddLog(VOS_TRACE_LEVEL_INFO, FL("Number of AP (%d)"), pReqMsg->numBssid);
|
|
|
|
nla_for_each_nested(apTh,
|
|
tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM], rem) {
|
|
+ if (i == pReqMsg->numBssid) {
|
|
+ hddLog(LOGW, FL("Ignoring excess AP"));
|
|
+ break;
|
|
+ }
|
|
+
|
|
if(nla_parse(tb2, QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
|
|
nla_data(apTh), nla_len(apTh),
|
|
NULL)) {
|
|
@@ -3806,6 +3816,12 @@ static int __wlan_hdd_cfg80211_extscan_set_bssid_hotlist(struct wiphy *wiphy,
|
|
i++;
|
|
}
|
|
|
|
+ if (i < pReqMsg->numBssid) {
|
|
+ hddLog(LOGW, FL("Number of AP %u less than expected %u"),
|
|
+ i, pReqMsg->numBssid);
|
|
+ pReqMsg->numBssid = i;
|
|
+ }
|
|
+
|
|
context = &pHddCtx->ext_scan_context;
|
|
spin_lock(&hdd_context_lock);
|
|
INIT_COMPLETION(context->response_event);
|
|
--
|
|
cgit v1.1
|
|
|