mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
70 lines
2.2 KiB
Diff
70 lines
2.2 KiB
Diff
From e55ddf68568a33288d76f5e00c93f8157cb9a632 Mon Sep 17 00:00:00 2001
|
|
From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
|
|
Date: Fri, 27 Jan 2017 17:14:19 -0800
|
|
Subject: [PATCH] net: wireless: bcmdhd: Fix for arbitrary memory free.
|
|
|
|
Fix for arbitrary memory free in nexus6p's wifi driver
|
|
function wl_cfgvendor_dbg_get_mem_dump. Current fix
|
|
includes intialize mem_buf to NULL and check if the
|
|
len is valid or not. Also check if buf_len is valid
|
|
or not. If buf_len is not valid then mem_buf will be
|
|
set to NULL.
|
|
|
|
Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
|
|
|
|
Change-Id: Ia98ce18f0437d38d6f6d77033af7477ae12574e3
|
|
Bug: 34624457
|
|
---
|
|
drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 29 ++++++++++++++++++++++++++---
|
|
1 file changed, 26 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
|
|
index 9a73de20f1298..1f5152f66ab36 100644
|
|
--- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
|
|
+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
|
|
@@ -2283,7 +2283,7 @@ static int wl_cfgvendor_dbg_get_mem_dump(struct wiphy *wiphy,
|
|
int buf_len = 0;
|
|
void __user *user_buf = NULL;
|
|
const struct nlattr *iter;
|
|
- char *mem_buf;
|
|
+ char *mem_buf = NULL;
|
|
struct sk_buff *skb;
|
|
struct bcm_cfg80211 *cfg = wiphy_priv(wiphy);
|
|
|
|
@@ -2291,10 +2291,33 @@ static int wl_cfgvendor_dbg_get_mem_dump(struct wiphy *wiphy,
|
|
type = nla_type(iter);
|
|
switch (type) {
|
|
case DEBUG_ATTRIBUTE_FW_DUMP_LEN:
|
|
- buf_len = nla_get_u32(iter);
|
|
+ /* Check if the iter is valid and
|
|
+ * buffer length is not already initialized.
|
|
+ */
|
|
+ if ((nla_len(iter) == sizeof(uint32)) &&
|
|
+ !buf_len) {
|
|
+ buf_len = nla_get_u32(iter);
|
|
+ if (buf_len <= 0) {
|
|
+ ret = BCME_ERROR;
|
|
+ goto exit;
|
|
+ }
|
|
+ } else {
|
|
+ ret = BCME_ERROR;
|
|
+ goto exit;
|
|
+ }
|
|
break;
|
|
case DEBUG_ATTRIBUTE_FW_DUMP_DATA:
|
|
- user_buf = (void __user *)(unsigned long) nla_get_u64(iter);
|
|
+ if (nla_len(iter) != sizeof(uint64)) {
|
|
+ WL_ERR(("Invalid len\n"));
|
|
+ ret = BCME_ERROR;
|
|
+ goto exit;
|
|
+ }
|
|
+ user_buf =
|
|
+ (void __user *)(unsigned long)nla_get_u64(iter);
|
|
+ if (!user_buf) {
|
|
+ ret = BCME_ERROR;
|
|
+ goto exit;
|
|
+ }
|
|
break;
|
|
default:
|
|
WL_ERR(("Unknown type: %d\n", type));
|