From b14d3cbb669c5cb4c65be74a556451432587f2f2 Mon Sep 17 00:00:00 2001 From: Girish Gowli Date: Thu, 12 Jun 2014 20:05:32 +0530 Subject: wlan: Add "compat" support for add_tspec ioctl handler The pointer passed to add_tspec command handler is not safe when used in a 32U/64K environment. Add "compat" support so that when the driver is part of a 64-bit kernel, the command will work with 32-bit userspace applications Change-Id: Ic5792b6850b5fd2da677962a512bd6e1ddea67b1 CRs-Fixed: 683512 --- CORE/HDD/src/wlan_hdd_wext.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c index 046a3aea9a3b..7a04a0e1b404 100644 --- a/CORE/HDD/src/wlan_hdd_wext.c +++ b/CORE/HDD/src/wlan_hdd_wext.c @@ -7720,6 +7720,7 @@ static int iw_add_tspec(struct net_device *dev, struct iw_request_info *info, int params[HDD_WLAN_WMM_PARAM_COUNT]; sme_QosWmmTspecInfo tSpec; v_U32_t handle; + struct iw_point s_priv_data; // make sure the application is sufficiently priviledged // note that the kernel will do this for "set" ioctls, but since @@ -7746,10 +7747,24 @@ static int iw_add_tspec(struct net_device *dev, struct iw_request_info *info, // since we are defined to be a "get" ioctl, and since the number // of params exceeds the number of params that wireless extensions - // will pass down in the iwreq_data, we must copy the "set" params + // will pass down in the iwreq_data, we must copy the "set" params. + // We must handle the compat for iwreq_data in 32U/64K environment. + + // helper function to get iwreq_data with compat handling. + if (hdd_priv_get_data(&s_priv_data, wrqu)) { + *pStatus = HDD_WLAN_WMM_STATUS_SETUP_FAILED_BAD_PARAM; + return 0; + } + + // make sure all params are correctly passed to function + if ((NULL == s_priv_data.pointer) || + (HDD_WLAN_WMM_PARAM_COUNT != s_priv_data.length)) { + *pStatus = HDD_WLAN_WMM_STATUS_SETUP_FAILED_BAD_PARAM; + return 0; + } + // from user space ourselves - if (copy_from_user(¶ms, wrqu->data.pointer, sizeof(params))) - { + if (copy_from_user(¶ms, s_priv_data.pointer, sizeof(params))) { // hmmm, can't get them return -EIO; } -- cgit v1.2.3