mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2025-01-18 02:47:17 -05:00
128 lines
4.7 KiB
Diff
128 lines
4.7 KiB
Diff
From 138c690bd39a3f1ba14450e308ebc56bbda1f5b2 Mon Sep 17 00:00:00 2001
|
|
From: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
Date: Mon, 28 Nov 2016 20:47:30 -0800
|
|
Subject: [PATCH] qcacld-2.0: Avoid overflow of roam subcmd params
|
|
|
|
Currently when processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor
|
|
command, for the following roam commands there are input validation
|
|
issues:
|
|
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
|
|
QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID
|
|
|
|
Both of these commands have a "number of BSSIDs" attribute as well as a
|
|
list of BSSIDs. However there is no validation that the number of
|
|
BSSIDs provided won't overflow the destination buffer. In addition
|
|
there is no validation that the number of BSSIDs actually provided
|
|
matches the number of BSSIDs expected.
|
|
|
|
To address these issues, for the above mentioned commands:
|
|
* Verify that the expected number of BSSIDs doesn't exceed the maximum
|
|
allowed number of BSSIDs
|
|
* Verify that the actual number of BSSIDs supplied doesn't exceed the
|
|
expected number of BSSIDs
|
|
* Only process the actual number of supplied BSSIDs if it is less than
|
|
the expected number of BSSIDs.
|
|
|
|
Change-Id: Ifa6121ee1b1441ec415198897ef815b40cb5aff6
|
|
CRs-Fixed: 1092497
|
|
Bug: 32402310 32402604 32871330
|
|
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
|
|
---
|
|
.../qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 43 +++++++++++++++++++---
|
|
1 file changed, 37 insertions(+), 6 deletions(-)
|
|
|
|
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
index 89dba5d54b627..fd23a304b93bd 100644
|
|
--- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
+++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c
|
|
@@ -1799,6 +1799,7 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
struct nlattr *tb2[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX + 1];
|
|
int rem, i;
|
|
uint32_t buf_len = 0;
|
|
+ uint32_t count;
|
|
int ret;
|
|
|
|
if (VOS_FTM_MODE == hdd_get_conparam()) {
|
|
@@ -1974,15 +1975,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
hddLog(LOGE, FL("attr num of preferred bssid failed"));
|
|
goto fail;
|
|
}
|
|
- roam_params.num_bssid_favored = nla_get_u32(
|
|
+ count = nla_get_u32(
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_LAZY_ROAM_NUM_BSSID]);
|
|
+ if (count > MAX_BSSID_FAVORED) {
|
|
+ hddLog(LOGE, FL("Preferred BSSID count %u exceeds max %u"),
|
|
+ count, MAX_BSSID_FAVORED);
|
|
+ goto fail;
|
|
+ }
|
|
hddLog(VOS_TRACE_LEVEL_DEBUG,
|
|
- FL("Num of Preferred BSSID (%d)"),
|
|
- roam_params.num_bssid_favored);
|
|
+ FL("Num of Preferred BSSID: %d"), count);
|
|
i = 0;
|
|
nla_for_each_nested(curr_attr,
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PREFS],
|
|
rem) {
|
|
+
|
|
+ if (i == count) {
|
|
+ hddLog(LOGW, FL("Ignoring excess Preferred BSSID"));
|
|
+ break;
|
|
+ }
|
|
+
|
|
if (nla_parse(tb2,
|
|
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
|
|
nla_data(curr_attr), nla_len(curr_attr),
|
|
@@ -2012,6 +2023,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
roam_params.bssid_favored_factor[i]);
|
|
i++;
|
|
}
|
|
+ if (i < count)
|
|
+ hddLog(LOGW,
|
|
+ FL("Num Preferred BSSID %u less than expected %u"),
|
|
+ i, count);
|
|
+ roam_params.num_bssid_favored = i;
|
|
sme_update_roam_params(pHddCtx->hHal, session_id,
|
|
roam_params, REASON_ROAM_SET_FAVORED_BSSID);
|
|
break;
|
|
@@ -2021,15 +2037,25 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
hddLog(LOGE, FL("attr num of blacklist bssid failed"));
|
|
goto fail;
|
|
}
|
|
- roam_params.num_bssid_avoid_list = nla_get_u32(
|
|
+ count = nla_get_u32(
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS_NUM_BSSID]);
|
|
+ if (count > MAX_BSSID_AVOID_LIST) {
|
|
+ hddLog(LOGE, FL("Blacklist BSSID count %u exceeds max %u"),
|
|
+ count, MAX_BSSID_AVOID_LIST);
|
|
+ goto fail;
|
|
+ }
|
|
hddLog(VOS_TRACE_LEVEL_DEBUG,
|
|
- FL("Num of blacklist BSSID (%d)"),
|
|
- roam_params.num_bssid_avoid_list);
|
|
+ FL("Num of blacklist BSSID: %d"), count);
|
|
i = 0;
|
|
nla_for_each_nested(curr_attr,
|
|
tb[QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_SET_BSSID_PARAMS],
|
|
rem) {
|
|
+
|
|
+ if (i == count) {
|
|
+ hddLog(LOGW, FL("Ignoring excess Blacklist BSSID"));
|
|
+ break;
|
|
+ }
|
|
+
|
|
if (nla_parse(tb2,
|
|
QCA_WLAN_VENDOR_ATTR_ROAMING_PARAM_MAX,
|
|
nla_data(curr_attr), nla_len(curr_attr),
|
|
@@ -2050,6 +2076,11 @@ __wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
|
|
roam_params.bssid_avoid_list[i]));
|
|
i++;
|
|
}
|
|
+ if (i < count)
|
|
+ hddLog(LOGW,
|
|
+ FL("Num Blacklist BSSID %u less than expected %u"),
|
|
+ i, count);
|
|
+ roam_params.num_bssid_avoid_list = i;
|
|
sme_update_roam_params(pHddCtx->hHal, session_id,
|
|
roam_params, REASON_ROAM_SET_BLACKLIST_BSSID);
|
|
break;
|