qcacld-2.0: Avoid overflow of EPNO network list

Currently when processing an EPNO vendor command the "num networks"
attribute is limit checked and if it exceeds a MAX value then it is
reset to that MAX value. This value is then used to calculate the size
of the buffer allocated to hold the internal representation of the
request. However later when the network attributes are parsed there is
no check to make sure the number of networks processed does not exceed
the (possibly modified) "num networks" used to allocate memory, and as
a result a buffer overflow can occur. Address this issue by aborting
the network parsing once "num networks" records have been parsed.

Change-Id: I6e5f321d23471d082bb000ad0422ea9baa76577a
CRs-Fixed: 1087807

1 files changed, 9 insertions, 0 deletions

diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 92cbb67caf08..233482d6ae22 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -4825,11 +4825,19 @@ static int hdd_extscan_epno_fill_network_list(
 	struct nlattr *networks;
 	int rem1, ssid_len;
 	uint8_t index, *ssid;
+	uint32_t expected_networks;
 
+	expected_networks = req_msg->num_networks;
 	index = 0;
 	nla_for_each_nested(networks,
 			    tb[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORKS_LIST],
 			    rem1) {
+
+		if (index == expected_networks) {
+			hddLog(LOGW, FL("ignoring excess networks"));
+			break;
+		}
+
 		if (nla_parse(network, QCA_WLAN_VENDOR_ATTR_PNO_MAX,
 			      nla_data(networks), nla_len(networks),
 			      wlan_hdd_pno_config_policy)) {
@@ -4883,6 +4891,7 @@ static int hdd_extscan_epno_fill_network_list(
 
 		index++;
 	}
+	req_msg->num_networks = index;
 	return 0;
 }