qcacld-3.0: Check channel_count while handling DCC update ndl event

Invalid channel_count may be sent to driver by user with QCA_NL80211_VENDOR_SUBCMD_DCC_UPDATE_NDL vendor command, and may also pass the sanity check with update_ndl_param->dcc_ndl_chan_list_len as integer overflow, in send_dcc_update_ndl_cmd_tlv. This leads to heap overflow while updating NDL per channel. Fix is to validate channel count sent by user in __wlan_hdd_cfg80211_dcc_update_ndl before accessing it. Change-Id: Icf385dd5618fcdbdbf427062fe581fa7d3909882 CRs-Fixed: 2339182
author: Abhinav Kumar <abhikuma@codeaurora.org> 2018-11-30 12:21:02 +0530
committer: nshrivas <nshrivas@codeaurora.org> 2018-12-04 08:33:18 -0800
commit: 5ca01e0113b3e8ed4bdcab45d91d97aea05ff839 (patch)
tree: 054d2d8f0d0aa60f6cd5963c942b3e8dc635a2cb
parent: 3b2bc4e8302a3f4e0dede57223f7145479519681 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_ocb.c b/core/hdd/src/wlan_hdd_ocb.c
index 9ca0327927c2..034fbecfa539 100644
--- a/core/hdd/src/wlan_hdd_ocb.c
+++ b/core/hdd/src/wlan_hdd_ocb.c
@@ -1915,6 +1915,12 @@ static int __wlan_hdd_cfg80211_dcc_update_ndl(struct wiphy *wiphy,
 	ndl_active_state_array = nla_data(
 		tb[QCA_WLAN_VENDOR_ATTR_DCC_UPDATE_NDL_ACTIVE_STATE_ARRAY]);
 
+	/* Check channel count. Per 11p spec, max 2 channels allowed */
+	if (!channel_count || channel_count > TGT_NUM_OCB_CHANNELS) {
+		hdd_err("Invalid channel_count %d", channel_count);
+		return -EINVAL;
+	}
+
 	hdd_request = hdd_request_alloc(&params);
 	if (!hdd_request) {
 		hdd_err("Request allocation failure");
author	Abhinav Kumar <abhikuma@codeaurora.org>	2018-11-30 12:21:02 +0530
committer	nshrivas <nshrivas@codeaurora.org>	2018-12-04 08:33:18 -0800
commit	5ca01e0113b3e8ed4bdcab45d91d97aea05ff839 (patch)
tree	054d2d8f0d0aa60f6cd5963c942b3e8dc635a2cb
parent	3b2bc4e8302a3f4e0dede57223f7145479519681 (diff)