DivestOS/Patches/Linux_CVEs-New/CVE-2016-8420/ANY/1.patch
2017-10-29 14:23:02 -04:00

56 lines
2.1 KiB
Diff

From 983ad9423f67549b074cdb4fd5e51ed8248e2ccd Mon Sep 17 00:00:00 2001
From: Srinivas Girigowda <sgirigow@codeaurora.org>
Date: Wed, 9 Nov 2016 13:55:17 -0800
Subject: [PATCH] qcacld-2.0: Avoid overflow of EPNO network list
Currently when processing an EPNO vendor command the "num networks"
attribute is limit checked and if it exceeds a MAX value then it is
reset to that MAX value. This value is then used to calculate the size
of the buffer allocated to hold the internal representation of the
request. However later when the network attributes are parsed there is
no check to make sure the number of networks processed does not exceed
the (possibly modified) "num networks" used to allocate memory, and as
a result a buffer overflow can occur. Address this issue by aborting
the network parsing once "num networks" records have been parsed.
Change-Id: I6e5f321d23471d082bb000ad0422ea9baa76577a
CRs-Fixed: 1087807
Bug: 32451171
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
---
drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
index 29f388fc7433f..a22714874062e 100644
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -4691,11 +4691,19 @@ static int hdd_extscan_epno_fill_network_list(
struct nlattr *networks;
int rem1, ssid_len;
uint8_t index, *ssid;
+ uint32_t expected_networks;
+ expected_networks = req_msg->num_networks;
index = 0;
nla_for_each_nested(networks,
tb[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST],
rem1) {
+
+ if (index == expected_networks) {
+ hddLog(LOGW, FL("ignoring excess networks"));
+ break;
+ }
+
if (nla_parse(network, QCA_WLAN_VENDOR_ATTR_PNO_MAX,
nla_data(networks), nla_len(networks),
wlan_hdd_pno_config_policy)) {
@@ -4743,6 +4751,7 @@ static int hdd_extscan_epno_fill_network_list(
index++;
}
+ req_msg->num_networks = index;
return 0;
}