lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Check channel_count while handling DCC update ndl event

Browse Source 
Invalid channel_count may be sent to driver by user with
QCA_NL80211_VENDOR_SUBCMD_DCC_UPDATE_NDL vendor command, and may also
pass the sanity check with update_ndl_param->dcc_ndl_chan_list_len as
integer overflow, in send_dcc_update_ndl_cmd_tlv. This leads to heap
overflow while updating NDL per channel.

Fix is to validate channel count sent by user in
__wlan_hdd_cfg80211_dcc_update_ndl before accessing it.

Change-Id: Icf385dd5618fcdbdbf427062fe581fa7d3909882
CRs-Fixed: 2339182
This commit is contained in:
Abhinav Kumar 2018-11-30 14:21:48 +05:30 committed by nshrivas
parent 73c6949420
commit 5e002903e1
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
core/hdd/src/wlan_hdd_ocb.c
View File

@ -1911,6 +1911,12 @@ static int __wlan_hdd_cfg80211_dcc_update_ndl(struct wiphy *wiphy,
ndl_active_state_array = nla_data(
tb[QCA_WLAN_VENDOR_ATTR_DCC_UPDATE_NDL_ACTIVE_STATE_ARRAY]);
/* Check channel count. Per 11p spec, max 2 channels allowed */
if (!channel_count || channel_count > TGT_NUM_OCB_CHANNELS) {
hdd_err("Invalid channel_count %d", channel_count);
return -EINVAL;
}
request = osif_request_alloc(&params);
if (!request) {
hdd_err("Request allocation failure");