qcacld-2.0: Resolve possible OOB while posting SET PASSPOINT WMA event
qcacld-3.0 to qcacld-2.0 propagation Presently, while processing SET_PASSPOINT_LIST vendor command HDD is not making sure realm string passed by upper-layer is NULL terminated, this may lead to buffer overflow as strlen is used to get realm string length to construct PASSPOINT WMA command. Make sure realm is NULL terminated before passing the same to down layers. Change-Id: I417f2b89dc219664afe5deac00dc361cac4048d6 CRs-Fixed: 2217476
This commit is contained in:
Hanumanth Reddy Pothula
syphyr
parent
27ef618a27
commit
dc730b5124
|
|
@ -4752,6 +4752,13 @@ static int wlan_hdd_cfg80211_set_epno_list(struct wiphy *wiphy,
|
|||
return ret;
|
||||
}
|
||||
|
||||
#define PARAM_ID QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID
|
||||
#define PARAM_REALM QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_REALM
|
||||
#define PARAM_ROAM_ID \
|
||||
QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_CNSRTM_ID
|
||||
#define PARAM_ROAM_PLMN \
|
||||
QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_PLMN
|
||||
|
||||
/**
|
||||
* hdd_extscan_passpoint_fill_network_list() - passpoint fill network list
|
||||
* @hddctx: HDD context
|
||||
|
|
@ -4770,7 +4777,8 @@ static int hdd_extscan_passpoint_fill_network_list(
|
|||
{
|
||||
struct nlattr *network[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1];
|
||||
struct nlattr *networks;
|
||||
int rem1, len;
|
||||
int rem1;
|
||||
size_t len;
|
||||
uint8_t index;
|
||||
uint32_t expected_networks;
|
||||
|
||||
|
|
@ -4800,38 +4808,37 @@ static int hdd_extscan_passpoint_fill_network_list(
|
|||
}
|
||||
|
||||
/* Parse and fetch identifier */
|
||||
if (!network[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID]) {
|
||||
if (!network[PARAM_ID]) {
|
||||
hddLog(LOGE, FL("attr passpoint id failed"));
|
||||
return -EINVAL;
|
||||
}
|
||||
req_msg->networks[index].id = nla_get_u32(
|
||||
network[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID]);
|
||||
network[PARAM_ID]);
|
||||
hddLog(LOG1, FL("Id %u"), req_msg->networks[index].id);
|
||||
|
||||
/* Parse and fetch realm */
|
||||
if (!network[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_REALM]) {
|
||||
if (!network[PARAM_REALM]) {
|
||||
hddLog(LOGE, FL("attr realm failed"));
|
||||
return -EINVAL;
|
||||
}
|
||||
len = nla_len(
|
||||
network[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_REALM]);
|
||||
if (len < 0 || len > SIR_PASSPOINT_REALM_LEN) {
|
||||
hddLog(LOGE, FL("Invalid realm size %d"), len);
|
||||
len = nla_strlcpy(req_msg->networks[index].realm,
|
||||
network[PARAM_REALM],
|
||||
SIR_PASSPOINT_REALM_LEN);
|
||||
/* Don't send partial realm to firmware */
|
||||
if (len >= SIR_PASSPOINT_REALM_LEN) {
|
||||
hddLog(LOGE, FL("user passed invalid realm, len:%zu"),
|
||||
len);
|
||||
return -EINVAL;
|
||||
}
|
||||
vos_mem_copy(req_msg->networks[index].realm,
|
||||
nla_data(network[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_REALM]),
|
||||
len);
|
||||
hddLog(LOG1, FL("realm len %d"), len);
|
||||
hddLog(LOG1, FL("realm: %s"), req_msg->networks[index].realm);
|
||||
|
||||
/* Parse and fetch roaming consortium ids */
|
||||
if (!network[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_CNSRTM_ID]) {
|
||||
/* Parse and fetch roaming consortium ids */
|
||||
if (!network[PARAM_ROAM_ID]) {
|
||||
hddLog(LOGE, FL("attr roaming consortium ids failed"));
|
||||
return -EINVAL;
|
||||
}
|
||||
nla_memcpy(&req_msg->networks[index].roaming_consortium_ids,
|
||||
network[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_CNSRTM_ID],
|
||||
network[PARAM_ROAM_ID],
|
||||
sizeof(req_msg->networks[0].roaming_consortium_ids));
|
||||
hddLog(LOG1, FL("roaming consortium ids"));
|
||||
VOS_TRACE_HEX_DUMP(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
|
||||
|
|
@ -4839,12 +4846,12 @@ static int hdd_extscan_passpoint_fill_network_list(
|
|||
sizeof(req_msg->networks[0].roaming_consortium_ids));
|
||||
|
||||
/* Parse and fetch plmn */
|
||||
if (!network[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_PLMN]) {
|
||||
if (!network[PARAM_ROAM_PLMN]) {
|
||||
hddLog(LOGE, FL("attr plmn failed"));
|
||||
return -EINVAL;
|
||||
}
|
||||
nla_memcpy(&req_msg->networks[index].plmn,
|
||||
network[QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ROAM_PLMN],
|
||||
network[PARAM_ROAM_PLMN],
|
||||
SIR_PASSPOINT_PLMN_LEN);
|
||||
hddLog(LOG1, FL("plmn %02x:%02x:%02x"),
|
||||
req_msg->networks[index].plmn[0],
|
||||
|
|
@ -5081,6 +5088,12 @@ static int wlan_hdd_cfg80211_reset_passpoint_list(struct wiphy *wiphy,
|
|||
|
||||
return ret;
|
||||
}
|
||||
|
||||
#undef PARAM_ID
|
||||
#undef PARAM_REALM
|
||||
#undef PARAM_ROAM_ID
|
||||
#undef PARAM_ROAM_PLMN
|
||||
|
||||
#endif /* FEATURE_WLAN_EXTSCAN */
|
||||
|
||||
/**
|
||||
|
|
|
|||
Loading…
Reference in New Issue