mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-17 02:17:23 -05:00
89 lines
3.3 KiB
Diff
89 lines
3.3 KiB
Diff
From 825eeb85d4866e362452b18df929a54a7c6111f6 Mon Sep 17 00:00:00 2001
|
|
From: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
Date: Mon, 10 Jul 2017 11:50:46 -0700
|
|
Subject: qcacld-2.0: Avoid concurrent matrix max param overread
|
|
|
|
qcacld-3.0 to qcacld-2.0 propagation
|
|
|
|
Currently there is no nl policy defined for vendor sub command
|
|
QCA_NL80211_VENDOR_SUBCMD_GET_CONCURRENCY_MATRIX which may result in
|
|
buffer overread error.
|
|
|
|
To resolve this, add nl policy.
|
|
|
|
Change-Id: I155efdbb07f1c5fe300bb2be0c2a3fe07c7e134b
|
|
CRs-Fixed: 2058452
|
|
Bug: 37712167
|
|
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
---
|
|
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 24 ++++++++++++++++------
|
|
1 file changed, 18 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
index 6d99f2d..13956f9 100644
|
|
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
@@ -1666,6 +1666,15 @@ wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
|
|
return ret;
|
|
}
|
|
|
|
+#define MAX_CONCURRENT_MATRIX \
|
|
+ QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX
|
|
+#define MATRIX_CONFIG_PARAM_SET_SIZE_MAX \
|
|
+ QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX
|
|
+static const struct nla_policy
|
|
+wlan_hdd_get_concurrency_matrix_policy[MAX_CONCURRENT_MATRIX + 1] = {
|
|
+ [MATRIX_CONFIG_PARAM_SET_SIZE_MAX] = {.type = NLA_U32},
|
|
+};
|
|
+
|
|
static int
|
|
__wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
|
|
struct wireless_dev *wdev,
|
|
@@ -1674,7 +1683,7 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
|
|
{
|
|
uint32_t feature_set_matrix[WLAN_HDD_MAX_FEATURE_SET] = {0};
|
|
uint8_t i, feature_sets, max_feature_sets;
|
|
- struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX + 1];
|
|
+ struct nlattr *tb[MAX_CONCURRENT_MATRIX + 1];
|
|
struct sk_buff *reply_skb;
|
|
hdd_context_t *hdd_ctx = wiphy_priv(wiphy);
|
|
int ret;
|
|
@@ -1690,19 +1699,19 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
|
|
if (0 != ret)
|
|
return ret;
|
|
|
|
- if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX,
|
|
- data, data_len, NULL)) {
|
|
+ if (nla_parse(tb, MAX_CONCURRENT_MATRIX,
|
|
+ data, data_len, wlan_hdd_get_concurrency_matrix_policy)) {
|
|
hddLog(LOGE, FL("Invalid ATTR"));
|
|
return -EINVAL;
|
|
}
|
|
|
|
/* Parse and fetch max feature set */
|
|
- if (!tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
|
|
+ if (!tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
|
|
hddLog(LOGE, FL("Attr max feature set size failed"));
|
|
return -EINVAL;
|
|
}
|
|
- max_feature_sets = nla_get_u32(
|
|
- tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
|
|
+
|
|
+ max_feature_sets = nla_get_u32(tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
|
|
hddLog(LOG1, FL("Max feature set size: %d"), max_feature_sets);
|
|
|
|
/* Fill feature combination matrix */
|
|
@@ -1744,6 +1753,9 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
|
|
return -ENOMEM;
|
|
}
|
|
|
|
+#undef MAX_CONCURRENT_MATRIX
|
|
+#undef MATRIX_CONFIG_PARAM_SET_SIZE_MAX
|
|
+
|
|
/**
|
|
* wlan_hdd_cfg80211_get_concurrency_matrix() - get concurrency matrix
|
|
* @wiphy: pointer to wireless wiphy structure.
|
|
--
|
|
cgit v1.1
|
|
|