2017-10-29 22:14:37 -04:00

70 lines
2.2 KiB
Diff

From e55ddf68568a33288d76f5e00c93f8157cb9a632 Mon Sep 17 00:00:00 2001
From: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Date: Fri, 27 Jan 2017 17:14:19 -0800
Subject: [PATCH] net: wireless: bcmdhd: Fix for arbitrary memory free.
Fix for arbitrary memory free in nexus6p's wifi driver
function wl_cfgvendor_dbg_get_mem_dump. Current fix
includes intialize mem_buf to NULL and check if the
len is valid or not. Also check if buf_len is valid
or not. If buf_len is not valid then mem_buf will be
set to NULL.
Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Change-Id: Ia98ce18f0437d38d6f6d77033af7477ae12574e3
Bug: 34624457
---
drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 29 ++++++++++++++++++++++++++---
1 file changed, 26 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
index 9a73de20f1298..1f5152f66ab36 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
@@ -2283,7 +2283,7 @@ static int wl_cfgvendor_dbg_get_mem_dump(struct wiphy *wiphy,
int buf_len = 0;
void __user *user_buf = NULL;
const struct nlattr *iter;
- char *mem_buf;
+ char *mem_buf = NULL;
struct sk_buff *skb;
struct bcm_cfg80211 *cfg = wiphy_priv(wiphy);
@@ -2291,10 +2291,33 @@ static int wl_cfgvendor_dbg_get_mem_dump(struct wiphy *wiphy,
type = nla_type(iter);
switch (type) {
case DEBUG_ATTRIBUTE_FW_DUMP_LEN:
- buf_len = nla_get_u32(iter);
+ /* Check if the iter is valid and
+ * buffer length is not already initialized.
+ */
+ if ((nla_len(iter) == sizeof(uint32)) &&
+ !buf_len) {
+ buf_len = nla_get_u32(iter);
+ if (buf_len <= 0) {
+ ret = BCME_ERROR;
+ goto exit;
+ }
+ } else {
+ ret = BCME_ERROR;
+ goto exit;
+ }
break;
case DEBUG_ATTRIBUTE_FW_DUMP_DATA:
- user_buf = (void __user *)(unsigned long) nla_get_u64(iter);
+ if (nla_len(iter) != sizeof(uint64)) {
+ WL_ERR(("Invalid len\n"));
+ ret = BCME_ERROR;
+ goto exit;
+ }
+ user_buf =
+ (void __user *)(unsigned long)nla_get_u64(iter);
+ if (!user_buf) {
+ ret = BCME_ERROR;
+ goto exit;
+ }
break;
default:
WL_ERR(("Unknown type: %d\n", type));