Git-Mirrors/DivestOS
1
0
Fork 0
mirror of https://github.com/Divested-Mobile/DivestOS-Build.git synced 2024-10-01 01:35:54 -04:00
Code Issues Packages Projects Releases Wiki Activity
fc857876dc
DivestOS/Patches/Linux_CVEs/CVE-2017-11002/prima/0001.patch
Tad 529ce03a13 Fixup wireless patches
2017-11-07 18:55:10 -05:00

86 lines
3.2 KiB
Diff
Raw Blame History

From 64c0865bb0c5a642ba420967b23e0f66e035b300 Mon Sep 17 00:00:00 2001
From: Rajeev Kumar Sirasanagandla <rsirasan@codeaurora.org>
Date: Tue, 13 Jun 2017 12:04:09 +0530
Subject: wlan: Avoid concurrent matrix max param overread
qcacld-3.0 to prima propagation.
Currently there is no nl policy defined for vendor sub command
QCA_NL80211_VENDOR_SUBCMD_GET_CONCURRENCY_MATRIX which may result in
buffer overread error.
To resolve this, add nl policy.
Change-Id: I155efdbb07f1c5fe300bb2be0c2a3fe07c7e134b
CRs-Fixed: 2058455
---
CORE/HDD/src/wlan_hdd_cfg80211.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index b8f74cc..0c36e73 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -4985,6 +4985,15 @@ wlan_hdd_cfg80211_get_supported_features(struct wiphy *wiphy,
return ret;
}
+#define MAX_CONCURRENT_MATRIX \
+ QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX
+#define MATRIX_CONFIG_PARAM_SET_SIZE_MAX \
+ QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX
+static const struct nla_policy
+wlan_hdd_get_concurrency_matrix_policy[MAX_CONCURRENT_MATRIX + 1] = {
+ [MATRIX_CONFIG_PARAM_SET_SIZE_MAX] = {.type = NLA_U32},
+};
+
static int
__wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
struct wireless_dev *wdev,
@@ -4992,7 +5001,7 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
{
uint32_t feature_set_matrix[WLAN_HDD_MAX_FEATURE_SET] = {0};
uint8_t i, feature_sets, max_feature_sets;
- struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX + 1];
+ struct nlattr *tb[MAX_CONCURRENT_MATRIX + 1];
struct sk_buff *reply_skb;
hdd_context_t *pHddCtx = wiphy_priv(wiphy);
int ret;
@@ -5005,19 +5014,18 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
return ret;
}
- if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX,
- data, data_len, NULL)) {
+ if (nla_parse(tb, MAX_CONCURRENT_MATRIX, data, data_len,
+ wlan_hdd_get_concurrency_matrix_policy)) {
hddLog(LOGE, FL("Invalid ATTR"));
return -EINVAL;
}
/* Parse and fetch max feature set */
- if (!tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
+ if (!tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
hddLog(LOGE, FL("Attr max feature set size failed"));
return -EINVAL;
}
- max_feature_sets = nla_get_u32(
- tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
+ max_feature_sets = nla_get_u32(tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
hddLog(LOG1, FL("Max feature set size (%d)"), max_feature_sets);
/* Fill feature combination matrix */
@@ -5068,6 +5076,9 @@ __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
}
+#undef MAX_CONCURRENT_MATRIX
+#undef MATRIX_CONFIG_PARAM_SET_SIZE_MAX
+
static int
wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
struct wireless_dev *wdev,
--
cgit v1.1
Reference in New Issue View Git Blame Copy Permalink