Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
8ed308c888
DivestOS/Patches/Linux_CVEs/CVE-2015-0571/qcacld-2.0/0013.patch
Tad 529ce03a13 Fixup wireless patches
2017-11-07 18:55:10 -05:00

106 lines
4.7 KiB
Diff
Raw Blame History

From fb9fb202c71547dba648c9b08d97645c6f42ca6e Mon Sep 17 00:00:00 2001
From: Mahesh A Saptasagar <c_msapta@qti.qualcomm.com>
Date: Wed, 28 Oct 2015 16:36:56 +0530
Subject: qcacld 2.0: Validate WPA and RSN IE for valid length
prima to qcacld-2.0 propagation
Return failure to applications if genie ioctl is invoked to configure
WPS/WPA/RSN IEs with arguments of improper length.
Change-Id: I2e034ef9f2537922be35d46ce266e6b99dab7bb6
CRs-Fixed: 931451
---
CORE/HDD/src/wlan_hdd_wext.c | 34 +++++++++++++++++++++++++---------
1 file changed, 25 insertions(+), 9 deletions(-)
diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
index 28a280b..4349e6b 100644
--- a/CORE/HDD/src/wlan_hdd_wext.c
+++ b/CORE/HDD/src/wlan_hdd_wext.c
@@ -2613,8 +2613,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
case IE_EID_VENDOR:
if ((IE_LEN_SIZE+IE_EID_SIZE+IE_VENDOR_OUI_SIZE) > eLen) /* should have at least OUI */
{
- kfree(base_genie);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
if (0 == memcmp(&genie[0], "\x00\x50\xf2\x04", 4))
@@ -2628,8 +2628,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
"Need bigger buffer space");
VOS_ASSERT(0);
- kfree(base_genie);
- return -ENOMEM;
+ ret = -EINVAL;
+ goto exit;
}
// save to Additional IE ; it should be accumulated to handle WPS IE + other IE
memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
@@ -2638,6 +2638,14 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3))
{
hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2);
+ if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
+ {
+ hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
+ "Need bigger buffer space");
+ ret = -EINVAL;
+ VOS_ASSERT(0);
+ goto exit;
+ }
memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
pWextState->roamProfile.pWPAReqIE = pWextState->WPARSNIE;
@@ -2654,8 +2662,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
"Need bigger buffer space");
VOS_ASSERT(0);
- kfree(base_genie);
- return -ENOMEM;
+ ret = -ENOMEM;
+ goto exit;
}
// save to Additional IE ; it should be accumulated to handle WPS IE + other IE
memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2);
@@ -2664,6 +2672,14 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
break;
case DOT11F_EID_RSN:
hddLog (LOG1, "%s Set RSN IE (len %d)",__func__, eLen+2);
+ if ((eLen + 2) > (sizeof(pWextState->WPARSNIE)))
+ {
+ hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. "
+ "Need bigger buffer space");
+ ret = -EINVAL;
+ VOS_ASSERT(0);
+ goto exit;
+ }
memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2));
pWextState->roamProfile.pRSNReqIE = pWextState->WPARSNIE;
@@ -2672,15 +2688,15 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info,
default:
hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
- kfree(base_genie);
- return 0;
+ goto exit;
}
genie += eLen;
remLen -= eLen;
}
+exit:
EXIT();
kfree(base_genie);
- return 0;
+ return ret;
}
/**
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink