61 lines
2.3 KiB
Diff

From 08ccf853c567bf02f4a5c9f9aef19a40ecdf57d1 Mon Sep 17 00:00:00 2001
From: Insun Song <insun.song@broadcom.com>
Date: Mon, 5 Jun 2017 14:39:26 -0700
Subject: net: wireless: bcmdhd: adding boundary check for pfn events
adding boundary check for bssid count in dhd_pno_process_epno_result
and dhd_handle_hotlist_scan_evt function to prevent heap overflow.
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 37722328
Bug: 37722970
Change-Id: I1f0bc25ef4e7f5ba8f1aa9d9271919ee84d780a1
---
drivers/net/wireless/bcmdhd/dhd_pno.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
index 8ebdf53..1a8e4ee 100644
--- a/drivers/net/wireless/bcmdhd/dhd_pno.c
+++ b/drivers/net/wireless/bcmdhd/dhd_pno.c
@@ -92,6 +92,11 @@
#define ENTRY_OVERHEAD strlen("bssid=\nssid=\nfreq=\nlevel=\nage=\ndist=\ndistSd=\n====")
#define TIME_MIN_DIFF 5
+#define EVENT_DATABUF_MAXLEN (512 - sizeof(bcm_event_t))
+#define EVENT_MAX_NETCNT \
+ ((EVENT_DATABUF_MAXLEN - sizeof(wl_pfn_scanresults_t)) \
+ / sizeof(wl_pfn_net_info_t) + 1)
+
#ifdef GSCAN_SUPPORT
static int _dhd_pno_flush_ssid(dhd_pub_t *dhd);
static wl_pfn_gscan_ch_bucket_cfg_t *
@@ -3575,7 +3580,12 @@ dhd_pno_process_epno_result(dhd_pub_t *dhd, const void *data, uint32 event, int
if (event == WLC_E_PFN_NET_FOUND || event == WLC_E_PFN_NET_LOST) {
wl_pfn_scanresults_t *pfn_result = (wl_pfn_scanresults_t *)data;
wl_pfn_net_info_t *net;
-
+ if ((pfn_result->count == 0) ||
+ (pfn_result->count > EVENT_MAX_NETCNT)) {
+ DHD_ERROR(("%s event %d: incorrect results count:%d\n",
+ __FUNCTION__, event, pfn_result->count));
+ return NULL;
+ }
if (pfn_result->version != PFN_SCANRESULT_VERSION) {
DHD_ERROR(("%s event %d: Incorrect version %d %d\n", __FUNCTION__, event,
pfn_result->version, PFN_SCANRESULT_VERSION));
@@ -3690,7 +3700,9 @@ void *dhd_handle_hotlist_scan_evt(dhd_pub_t *dhd, const void *event_data, int *s
gscan_params = &(_pno_state->pno_params_arr[INDEX_OF_GSCAN_PARAMS].params_gscan);
- if (!results->count) {
+ if ((results->count == 0) || (results->count > EVENT_MAX_NETCNT)) {
+ DHD_ERROR(("%s: wrong count:%d\n", __FUNCTION__,
+ results->count));
*send_evt_bytes = 0;
return ptr;
}
--
cgit v1.1