qcacld-2.0: Check channel_count in DCC_GET_STATS command

Invalid channel_count may be sent to driver with QCA_NL80211_VENDOR_SUBCMD_DCC_GET_STATS vendor command, and may also pass the sanity check with get_stats_param->request_array_len as integer overflow, in send_dcc_get_stats_cmd_tlv(). Then it will finally lead to heap overflow when initializing TLV header for each channel. Change-Id: I1d81b5fc4de80829433f2a0ab41c964c41f750c3 CRs-Fixed: 2313756
author: Lin Bai <lbai@codeaurora.org> 2018-09-12 11:46:55 +0800
committer: Lin Bai <lbai@codeaurora.org> 2018-09-12 11:46:55 +0800
commit: 6c8c527908d08396150029e08cdb42f4e1e5f2d1 (patch)
tree: efb5c4d366f54c36f47e6df2cfc3d857426256bc
parent: dbdc4e0fc9161ed97e91e3f0cb553a181e7ed8b7 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/CORE/HDD/src/wlan_hdd_ocb.c b/CORE/HDD/src/wlan_hdd_ocb.c
index c9628c1e3987..663e6cd8bcb0 100644
--- a/CORE/HDD/src/wlan_hdd_ocb.c
+++ b/CORE/HDD/src/wlan_hdd_ocb.c
@@ -1857,6 +1857,12 @@ static int __wlan_hdd_cfg80211_dcc_get_stats(struct wiphy *wiphy,
 	request_array = nla_data(
 		tb[QCA_WLAN_VENDOR_ATTR_DCC_GET_STATS_REQUEST_ARRAY]);
 
+	/* Check channel count. Per 11p spec, max 2 channels allowed */
+	if (!channel_count || channel_count > CFG_TGT_NUM_OCB_CHANNELS) {
+		hddLog(LOGE, FL("Invalid channel_count %d"), channel_count);
+		return -EINVAL;
+	}
+
 	/* Initialize the callback context */
 	hdd_request = hdd_request_alloc(&params);
 	if (!hdd_request) {
author	Lin Bai <lbai@codeaurora.org>	2018-09-12 11:46:55 +0800
committer	Lin Bai <lbai@codeaurora.org>	2018-09-12 11:46:55 +0800
commit	6c8c527908d08396150029e08cdb42f4e1e5f2d1 (patch)
tree	efb5c4d366f54c36f47e6df2cfc3d857426256bc
parent	dbdc4e0fc9161ed97e91e3f0cb553a181e7ed8b7 (diff)