DivestOS/Patches/Linux_CVEs/CVE-2017-0439/ANY/0.patch

From 81b6b5538d3227ed4b925fcceedb109abb2a4c61 Mon Sep 17 00:00:00 2001
From: Jeff Johnson <jjohnson@codeaurora.org>
Date: Fri, 18 Nov 2016 11:35:01 -0800
Subject: qcacld-2.0: Avoid overflow of passpoint network list

Currently when processing a passpoint vendor command the "num
networks" attribute is limit checked and if it exceeds a MAX value
then the command is rejected. Otherwise this value is used to
calculate the size of the buffer allocated to hold the internal
representation of the request. However later when the network
attributes are parsed there is no check to make sure the number of
networks processed does not exceed the "num networks" used to allocate
memory, and as a result a buffer overflow can occur. Address this
issue by aborting the network parsing once "num networks" records have
been parsed.

Change-Id: I38d9f19b08b42fa9a850eb70a42920fbc3b99cf6
CRs-Fixed: 1092059
---
 CORE/HDD/src/wlan_hdd_cfg80211.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index a2ff8fe..54c5e54 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -5127,11 +5127,19 @@ static int hdd_extscan_passpoint_fill_network_list(
 	struct nlattr *networks;
 	int rem1, len;
 	uint8_t index;
+	uint32_t expected_networks;
 
+	expected_networks = req_msg->num_networks;
 	index = 0;
 	nla_for_each_nested(networks,
 		tb[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NETWORK_ARRAY],
 		rem1) {
+
+		if (index == expected_networks) {
+			hddLog(LOGW, FL("ignoring excess networks"));
+			break;
+		}
+
 		if (nla_parse(network,
 			QCA_WLAN_VENDOR_ATTR_PNO_MAX,
 			nla_data(networks), nla_len(networks), NULL)) {
@@ -5193,6 +5201,7 @@ static int hdd_extscan_passpoint_fill_network_list(
 
 		index++;
 	}
+	req_msg->num_networks = index;
 	return 0;
 }
 
-- 
cgit v1.1