qcacld-2.0: Avoid overflow of passpoint network list

Currently when processing a passpoint vendor command the "num
networks" attribute is limit checked and if it exceeds a MAX value
then the command is rejected. Otherwise this value is used to
calculate the size of the buffer allocated to hold the internal
representation of the request. However later when the network
attributes are parsed there is no check to make sure the number of
networks processed does not exceed the "num networks" used to allocate
memory, and as a result a buffer overflow can occur. Address this
issue by aborting the network parsing once "num networks" records have
been parsed.

Change-Id: I38d9f19b08b42fa9a850eb70a42920fbc3b99cf6
CRs-Fixed: 1092059

1 files changed, 9 insertions, 0 deletions

diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index a2ff8feb2807..54c5e54f006d 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -5127,11 +5127,19 @@ static int hdd_extscan_passpoint_fill_network_list(
 	struct nlattr *networks;
 	int rem1, len;
 	uint8_t index;
+	uint32_t expected_networks;
 
+	expected_networks = req_msg->num_networks;
 	index = 0;
 	nla_for_each_nested(networks,
 		tb[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NETWORK_ARRAY],
 		rem1) {
+
+		if (index == expected_networks) {
+			hddLog(LOGW, FL("ignoring excess networks"));
+			break;
+		}
+
 		if (nla_parse(network,
 			QCA_WLAN_VENDOR_ATTR_PNO_MAX,
 			nla_data(networks), nla_len(networks), NULL)) {
@@ -5193,6 +5201,7 @@ static int hdd_extscan_passpoint_fill_network_list(
 
 		index++;
 	}
+	req_msg->num_networks = index;
 	return 0;
 }