DivestOS/Patches/Linux_CVEs/CVE-2016-8465/3.18/0004.patch

From 3619fd91b831f184d2e544e23cb54d20eed2531e Mon Sep 17 00:00:00 2001
From: Insun Song <insun.song@broadcom.com>
Date: Wed, 30 Nov 2016 12:00:17 -0800
Subject: net: wireless: bcmdhd: fix hotlist index in wl_cfgvendor_hotlist_cfg

add bssid count element to exactly refer in NL-TLV parsing.

This change need to sync with
/hardware/broadcom/wlan/bcmdhd/wifi_hal/gscan.cpp
where GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT supposed to be called.

Bug: 32474971

Signed-off-by: Insun Song <insun.song@broadcom.com>
Change-Id: Id2b019bb43fb99b3843fe1b32f59e58c7af7cdad
---
 drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 39 ++++++++++++++++++++++++------
 drivers/net/wireless/bcmdhd/wl_cfgvendor.h |  1 +
 2 files changed, 32 insertions(+), 8 deletions(-)

diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
index 420cb2f..3e80169 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c
@@ -702,7 +702,7 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
 		GFP_KERNEL);
 
 	if (!hotlist_params) {
-		WL_ERR(("Cannot Malloc mem to parse config commands size - %d bytes \n", len));
+		WL_ERR(("Cannot Malloc mem.\n"));
 		return -ENOMEM;
 	}
 
@@ -711,10 +711,33 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
 	nla_for_each_attr(iter, data, len, tmp2) {
 		type = nla_type(iter);
 		switch (type) {
+		case GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT:
+			if (nla_len(iter) != sizeof(uint32)) {
+				WL_DBG(("type:%d length:%d not matching.\n",
+					type, nla_len(inner)));
+				err = -EINVAL;
+				goto exit;
+			}
+			hotlist_params->nbssid = (uint16)nla_get_u32(iter);
+			if ((hotlist_params->nbssid == 0) ||
+			    (hotlist_params->nbssid > PFN_SWC_MAX_NUM_APS)) {
+				WL_ERR(("nbssid:%d exceed limit.\n",
+					hotlist_params->nbssid));
+				err = -EINVAL;
+				goto exit;
+			}
+			break;
 		case GSCAN_ATTRIBUTE_HOTLIST_BSSIDS:
+			if (hotlist_params->nbssid == 0) {
+				WL_ERR(("nbssid not retrieved.\n"));
+				err = -EINVAL;
+				goto exit;
+			}
 			pbssid = hotlist_params->bssid;
 			nla_for_each_nested(outer, iter, tmp) {
 				nla_for_each_nested(inner, outer, tmp1) {
+					if (j >= hotlist_params->nbssid)
+						break;
 					type = nla_type(inner);
 
 					switch (type) {
@@ -751,13 +774,13 @@ static int wl_cfgvendor_hotlist_cfg(struct wiphy *wiphy,
 						break;
 					}
 				}
-				if (++j > PFN_SWC_MAX_NUM_APS) {
-					WL_DBG(("nbssid:%d exeed limit.\n",
-						hotlist_params->nbssid));
-					err = -EINVAL;
-					goto exit;
-				}
-				hotlist_params->nbssid = j;
+				j++;
+			}
+			if (j != hotlist_params->nbssid) {
+				WL_ERR(("bssid_cnt:%d != nbssid:%d.\n", j,
+					hotlist_params->nbssid));
+				err = -EINVAL;
+				goto exit;
 			}
 			break;
 		case GSCAN_ATTRIBUTE_HOTLIST_FLUSH:
diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.h b/drivers/net/wireless/bcmdhd/wl_cfgvendor.h
index 58077b3..7d33c62 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.h
+++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.h
@@ -181,6 +181,7 @@ enum gscan_attributes {
     GSCAN_ATTRIBUTE_RSSI_HIGH,
     GSCAN_ATTRIBUTE_HOSTLIST_BSSID_ELEM,
     GSCAN_ATTRIBUTE_HOTLIST_FLUSH,
+    GSCAN_ATTRIBUTE_HOTLIST_BSSID_COUNT,
 
     /* remaining reserved for additional attributes */
     GSCAN_ATTRIBUTE_RSSI_SAMPLE_SIZE = 60,
-- 
cgit v1.1