From 5e002903e145fc23c285b6fc98f05f6dc8fff0e1 Mon Sep 17 00:00:00 2001 From: Abhinav Kumar Date: Fri, 30 Nov 2018 14:21:48 +0530 Subject: [PATCH] qcacld-3.0: Check channel_count while handling DCC update ndl event Invalid channel_count may be sent to driver by user with QCA_NL80211_VENDOR_SUBCMD_DCC_UPDATE_NDL vendor command, and may also pass the sanity check with update_ndl_param->dcc_ndl_chan_list_len as integer overflow, in send_dcc_update_ndl_cmd_tlv. This leads to heap overflow while updating NDL per channel. Fix is to validate channel count sent by user in __wlan_hdd_cfg80211_dcc_update_ndl before accessing it. Change-Id: Icf385dd5618fcdbdbf427062fe581fa7d3909882 CRs-Fixed: 2339182 --- core/hdd/src/wlan_hdd_ocb.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/hdd/src/wlan_hdd_ocb.c b/core/hdd/src/wlan_hdd_ocb.c index 9bdd0d88fa7c1..4a193a8591499 100644 --- a/core/hdd/src/wlan_hdd_ocb.c +++ b/core/hdd/src/wlan_hdd_ocb.c @@ -1911,6 +1911,12 @@ static int __wlan_hdd_cfg80211_dcc_update_ndl(struct wiphy *wiphy, ndl_active_state_array = nla_data( tb[QCA_WLAN_VENDOR_ATTR_DCC_UPDATE_NDL_ACTIVE_STATE_ARRAY]); + /* Check channel count. Per 11p spec, max 2 channels allowed */ + if (!channel_count || channel_count > TGT_NUM_OCB_CHANNELS) { + hdd_err("Invalid channel_count %d", channel_count); + return -EINVAL; + } + request = osif_request_alloc(¶ms); if (!request) { hdd_err("Request allocation failure");