From 4412e96b1e29b677cfc1cadde2d8ea6c56c4ae7d Mon Sep 17 00:00:00 2001 From: Hanumanth Reddy Pothula Date: Thu, 17 Nov 2016 15:17:29 +0530 Subject: qcacld-2.0: Validate netlink packet length While processing netlink packet(logger app), packet length is validated incorrectly, leading packets to drop without processing. Validate netlink packet lenght properly, by checking whole (including header) netlink packet size with skb's len. Change-Id: Ia6fc1a4c090084ad197ae198404c9083d0acb8e4 CRs-Fixed: 1075397 --- CORE/SVC/src/logging/wlan_logging_sock_svc.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/CORE/SVC/src/logging/wlan_logging_sock_svc.c b/CORE/SVC/src/logging/wlan_logging_sock_svc.c index 6e20a850950c..56d1b92ddc3b 100644 --- a/CORE/SVC/src/logging/wlan_logging_sock_svc.c +++ b/CORE/SVC/src/logging/wlan_logging_sock_svc.c @@ -189,7 +189,7 @@ static int wlan_send_sock_msg_to_app(tAniHdr *wmsg, int radio, tAniNlHdr *wnl = NULL; struct sk_buff *skb; struct nlmsghdr *nlh; - int wmsg_length = wmsg->length; + int wmsg_length = ntohs(wmsg->length); static int nlmsg_seq; if (radio < 0 || radio > ANI_MAX_RADIOS) { @@ -818,7 +818,7 @@ static int wlan_logging_proc_sock_rx_msg(struct sk_buff *skb) tAniNlHdr *wnl; int radio; int type; - int ret; + int ret, len; wnl = (tAniNlHdr *) skb->data; radio = wnl->radio; @@ -831,10 +831,12 @@ static int wlan_logging_proc_sock_rx_msg(struct sk_buff *skb) return -EINVAL; } - if (wnl->wmsg.length > skb->data_len) { + len = ntohs(wnl->wmsg.length) + sizeof(tAniNlHdr); + if (len > skb_headlen(skb)) { LOGGING_TRACE(VOS_TRACE_LEVEL_ERROR, - "%s: invalid length msgLen:%x skb data_len:%x\n", - __func__, wnl->wmsg.length, skb->data_len); + "%s: invalid length, msgLen:%x skb len:%x headLen: %d data_len: %d", + __func__, len, skb->len, skb_headlen(skb), + skb->data_len); return -EINVAL; } -- cgit v1.2.3