diff options
| author | Girish Gowli <c_ggowli@qti.qualcomm.com> | 2014-06-12 20:05:32 +0530 |
|---|---|---|
| committer | Pitani Venkata Rajesh Kumar <c_vpitan@qti.qualcomm.com> | 2014-06-27 11:42:53 +0530 |
| commit | b14d3cbb669c5cb4c65be74a556451432587f2f2 (patch) | |
| tree | 19c3962863ce33a353133dfe68a1e9bf54d99fd8 | |
| parent | 7b99968d259e9a35c80c5155a28ba4aaa3b2d863 (diff) | |
wlan: Add "compat" support for add_tspec ioctl handler
The pointer passed to add_tspec command handler is not safe
when used in a 32U/64K environment.
Add "compat" support so that when the driver is part of a
64-bit kernel, the command will work with 32-bit userspace
applications
Change-Id: Ic5792b6850b5fd2da677962a512bd6e1ddea67b1
CRs-Fixed: 683512
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_wext.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c index 046a3aea9a3b..7a04a0e1b404 100644 --- a/CORE/HDD/src/wlan_hdd_wext.c +++ b/CORE/HDD/src/wlan_hdd_wext.c @@ -7720,6 +7720,7 @@ static int iw_add_tspec(struct net_device *dev, struct iw_request_info *info, int params[HDD_WLAN_WMM_PARAM_COUNT]; sme_QosWmmTspecInfo tSpec; v_U32_t handle; + struct iw_point s_priv_data; // make sure the application is sufficiently priviledged // note that the kernel will do this for "set" ioctls, but since @@ -7746,10 +7747,24 @@ static int iw_add_tspec(struct net_device *dev, struct iw_request_info *info, // since we are defined to be a "get" ioctl, and since the number // of params exceeds the number of params that wireless extensions - // will pass down in the iwreq_data, we must copy the "set" params + // will pass down in the iwreq_data, we must copy the "set" params. + // We must handle the compat for iwreq_data in 32U/64K environment. + + // helper function to get iwreq_data with compat handling. + if (hdd_priv_get_data(&s_priv_data, wrqu)) { + *pStatus = HDD_WLAN_WMM_STATUS_SETUP_FAILED_BAD_PARAM; + return 0; + } + + // make sure all params are correctly passed to function + if ((NULL == s_priv_data.pointer) || + (HDD_WLAN_WMM_PARAM_COUNT != s_priv_data.length)) { + *pStatus = HDD_WLAN_WMM_STATUS_SETUP_FAILED_BAD_PARAM; + return 0; + } + // from user space ourselves - if (copy_from_user(¶ms, wrqu->data.pointer, sizeof(params))) - { + if (copy_from_user(¶ms, s_priv_data.pointer, sizeof(params))) { // hmmm, can't get them return -EIO; } |