qcacld-3.0: Check channel_count in DCC_GET_STATS command

Invalid channel_count may be sent to driver with QCA_NL80211_VENDOR_SUBCMD_DCC_GET_STATS vendor command, and may also pass the sanity check with get_stats_param->request_array_len as integer overflow, in send_dcc_get_stats_cmd_tlv(). Then it will finally lead to heap overflow when initializing TLV header for each channel. Change-Id: I1d81b5fc4de80829433f2a0ab41c964c41f750c3 CRs-Fixed: 2300516
author: Lin Bai <lbai@codeaurora.org> 2018-09-11 22:53:28 +0800
committer: nshrivas <nshrivas@codeaurora.org> 2018-09-13 02:08:45 -0700
commit: 7c8871b05deabdee5c7d67f9517c170b7de8681e (patch)
tree: c4e747f1ee18f7d17758afd7ee12f15d7311f13e /core
parent: 49ecc2fea870f923f17bc538f06e28f7babe3619 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_ocb.c b/core/hdd/src/wlan_hdd_ocb.c
index 847762fe3abb..9ca0327927c2 100644
--- a/core/hdd/src/wlan_hdd_ocb.c
+++ b/core/hdd/src/wlan_hdd_ocb.c
@@ -1647,6 +1647,12 @@ static int __wlan_hdd_cfg80211_dcc_get_stats(struct wiphy *wiphy,
 	request_array = nla_data(
 		tb[QCA_WLAN_VENDOR_ATTR_DCC_GET_STATS_REQUEST_ARRAY]);
 
+	/* Check channel count. Per 11p spec, max 2 channels allowed */
+	if (!channel_count || channel_count > TGT_NUM_OCB_CHANNELS) {
+		hdd_err("Invalid channel_count %d", channel_count);
+		return -EINVAL;
+	}
+
 	hdd_request = hdd_request_alloc(&params);
 	if (!hdd_request) {
 		hdd_err("Request allocation failure");
author	Lin Bai <lbai@codeaurora.org>	2018-09-11 22:53:28 +0800
committer	nshrivas <nshrivas@codeaurora.org>	2018-09-13 02:08:45 -0700
commit	7c8871b05deabdee5c7d67f9517c170b7de8681e (patch)
tree	c4e747f1ee18f7d17758afd7ee12f15d7311f13e /core
parent	49ecc2fea870f923f17bc538f06e28f7babe3619 (diff)