diff options
| author | Nachiket Kukade <nkukade@codeaurora.org> | 2017-06-12 16:24:16 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-06-13 06:49:08 -0700 |
| commit | 8a4da03089ec78d44e44efa594d08cecc177326e (patch) | |
| tree | e9adf98b9614b6a8ecf591ac9935fc50bad3ec4a | |
| parent | 763ea58ec951fd4de214c32fb136c0e476f6357d (diff) | |
qcacld-2.0: Avoid MAC address overrun in get chain RSSI
Currently, in __wlan_hdd_cfg80211_get_chain_rssi the
QCA_WLAN_VENDOR_ATTR_MAC_ADDR attribute is read without providing an
nla policy. This can lead to a buffer overrun if userspace provides less
than the expected amount of data. Ensure the expected amount of data has
been passed from userspace before using the
QCA_WLAN_VENDOR_ATTR_MAC_ADDR attribute in
__wlan_hdd_cfg80211_get_chain_rssi.
Change-Id: Ibffb925b9ec574a07f887299ed3035779367dce4
CRs-Fixed: 2058468
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_cfg80211.c | 20 |
1 files changed, 15 insertions, 5 deletions
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c index 35e8072e520b..ab7d9b5cbec0 100644 --- a/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -13952,8 +13952,10 @@ static int __wlan_hdd_cfg80211_get_chain_rssi(struct wiphy *wiphy, struct hdd_chain_rssi_context *context; struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_MAX + 1]; eHalStatus status; - int retval = 0; + int retval; unsigned long rc; + const int mac_len = sizeof(req_msg.peer_macaddr); + int msg_len; ENTER(); @@ -13961,9 +13963,11 @@ static int __wlan_hdd_cfg80211_get_chain_rssi(struct wiphy *wiphy, if (0 != retval) return retval; - if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_MAX, data, data_len, NULL)) { + /* nla validation doesn't do exact lengths, do the validation later */ + retval = nla_parse(tb, QCA_WLAN_VENDOR_ATTR_MAX, data, data_len, NULL); + if (retval) { hddLog(LOGE, FL("Invalid ATTR")); - return -EINVAL; + return retval; } if (!tb[QCA_WLAN_VENDOR_ATTR_MAC_ADDR]) { @@ -13971,9 +13975,15 @@ static int __wlan_hdd_cfg80211_get_chain_rssi(struct wiphy *wiphy, return -EINVAL; } + msg_len = nla_len(tb[QCA_WLAN_VENDOR_ATTR_MAC_ADDR]); + if (msg_len != mac_len) { + hddLog(LOGE, FL("Invalid mac address length: %d, expected %d"), + msg_len, mac_len); + return -ERANGE; + } + memcpy(&req_msg.peer_macaddr, - nla_data(tb[QCA_WLAN_VENDOR_ATTR_MAC_ADDR]), - sizeof(req_msg.peer_macaddr)); + nla_data(tb[QCA_WLAN_VENDOR_ATTR_MAC_ADDR]), mac_len); spin_lock(&hdd_context_lock); context = &hdd_ctx->chain_rssi_context; |