qcacld-3.0: Fix OOB read in iw_hdd_set_var_ints_getnone

From the IOCTL command WE_POLICY_MANAGER_PCL_CMD, we get the cds
concurrency mode as argument and pass it to cds_get_pcl to get
the pcl channel list. This concurrency mode parameter is used as
the array index to retrive the enum cds_pcl_type. If this value
is greater than CDS_MAX_NUM_OF_MODE an OOB read will occur in
iw_hdd_set_var_ints_getnone.

Add check to validate the input cds mode argument against the macro
CDS_MAX_NUM_OF_MODE. Return error if it is violated.

Change-Id: Iaa79d9698e0074a31a9c3f2396bd06d436d1e349
CRs-Fixed: 2216048

2 files changed, 42 insertions, 0 deletions

diff --git a/core/cds/src/cds_concurrency.c b/core/cds/src/cds_concurrency.c
index 651c9761004a..2638554824c2 100644
--- a/core/cds/src/cds_concurrency.c
+++ b/core/cds/src/cds_concurrency.c
@@ -5712,6 +5712,10 @@ QDF_STATUS cds_get_pcl(enum cds_con_mode mode,
 		cds_err("HDD context is NULL");
 		return status;
 	}
+	if ((mode < 0) || (mode >= CDS_MAX_NUM_OF_MODE)) {
+		cds_err("Incorrect concurrency mode:%d recieved", mode);
+		return status;
+	}
 
 	if (mode >= CDS_MAX_NUM_OF_MODE) {
 		cds_err("requested mode:%d is not supported", mode);
diff --git a/core/hdd/src/wlan_hdd_wext.c b/core/hdd/src/wlan_hdd_wext.c
index 6925d0eeb2dd..16fe0719a61a 100644
--- a/core/hdd/src/wlan_hdd_wext.c
+++ b/core/hdd/src/wlan_hdd_wext.c
@@ -10102,6 +10102,13 @@ static int iw_get_policy_manager_ut_ops(hdd_context_t *hdd_ctx,
 	case WE_POLICY_MANAGER_CLIST_CMD:
 	{
 		hdd_debug("<iwpriv wlan0 pm_clist> is called");
+		if ((apps_args[0] < 0) || (apps_args[1] < 0) ||
+			(apps_args[2] < 0) || (apps_args[3] < 0) ||
+			(apps_args[4] < 0) || (apps_args[5] < 0) ||
+			(apps_args[6] < 0) || (apps_args[7] < 0)) {
+			hdd_err("Invalid input params recieved for the IOCTL");
+			return 0;
+		}
 		cds_incr_connection_count_utfw(apps_args[0],
 			apps_args[1], apps_args[2], apps_args[3],
 			apps_args[4], apps_args[5], apps_args[6],
@@ -10112,6 +10119,11 @@ static int iw_get_policy_manager_ut_ops(hdd_context_t *hdd_ctx,
 	case WE_POLICY_MANAGER_DLIST_CMD:
 	{
 		hdd_debug("<iwpriv wlan0 pm_dlist> is called");
+		if ((apps_args[0] < 0) || (apps_args[1] < 0)) {
+			hdd_err("Invalid input params recieved for the IOCTL");
+			return 0;
+		}
+
 		cds_decr_connection_count_utfw(apps_args[0],
 			apps_args[1]);
 	}
@@ -10120,6 +10132,13 @@ static int iw_get_policy_manager_ut_ops(hdd_context_t *hdd_ctx,
 	case WE_POLICY_MANAGER_ULIST_CMD:
 	{
 		hdd_debug("<iwpriv wlan0 pm_ulist> is called");
+		if ((apps_args[0] < 0) || (apps_args[1] < 0) ||
+			(apps_args[2] < 0) || (apps_args[3] < 0) ||
+			(apps_args[4] < 0) || (apps_args[5] < 0) ||
+			(apps_args[6] < 0) || (apps_args[7] < 0)) {
+			hdd_err("Invalid input params recieved for the IOCTL");
+			return 0;
+		}
 		cds_update_connection_info_utfw(apps_args[0],
 			apps_args[1], apps_args[2], apps_args[3],
 			apps_args[4], apps_args[5], apps_args[6],
@@ -10130,6 +10149,11 @@ static int iw_get_policy_manager_ut_ops(hdd_context_t *hdd_ctx,
 	case WE_POLICY_MANAGER_DBS_CMD:
 	{
 		hdd_debug("<iwpriv wlan0 pm_dbs> is called");
+		if (apps_args[0] < 0) {
+			hdd_err("Invalid input param recieved for the IOCTL");
+			return 0;
+		}
+
 		if (apps_args[0] == 0)
 			wma_set_dbs_capability_ut(0);
 		else
@@ -10151,6 +10175,10 @@ static int iw_get_policy_manager_ut_ops(hdd_context_t *hdd_ctx,
 
 		hdd_debug("<iwpriv wlan0 pm_pcl> is called");
 
+		if (apps_args[0] < 0) {
+			hdd_err("Invalid input param recieved for the IOCTL");
+			return 0;
+		}
 		cds_get_pcl(apps_args[0],
 				pcl, &pcl_len,
 				weight_list, QDF_ARRAY_SIZE(weight_list));
@@ -10194,6 +10222,11 @@ static int iw_get_policy_manager_ut_ops(hdd_context_t *hdd_ctx,
 		QDF_STATUS status;
 
 		hdd_debug("<iwpriv wlan0 pm_query_action> is called");
+		if (apps_args[0] < 0) {
+			hdd_err("Invalid input params recieved for the IOCTL");
+			return 0;
+		}
+
 		status = cds_current_connections_update(adapter->sessionId,
 						apps_args[0],
 						SIR_UPDATE_REASON_UT);
@@ -10206,6 +10239,11 @@ static int iw_get_policy_manager_ut_ops(hdd_context_t *hdd_ctx,
 		bool allow;
 
 		hdd_debug("<iwpriv wlan0 pm_query_allow> is called");
+		if ((apps_args[0] < 0) || (apps_args[1] < 0) ||
+			(apps_args[2] < 0)) {
+			hdd_err("Invalid input params recieved for the IOCTL");
+			return 0;
+		}
 		allow = cds_allow_concurrency(
 				apps_args[0], apps_args[1], apps_args[2]);
 		pr_info("allow %d {0 = don't allow, 1 = allow}", allow);