Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Fix set_ratemask policy to avoid stack overflow

Currently in the function hdd_set_ratemask_params, which handles
requests for the vendor command QCA_NL80211_VENDOR_SUBCMD_RATEMASK_CONFIG,
parses the attributes according to the wlan_hdd_set_ratemask_param_policy,
and copies them into the struct config_ratemask_params.

But in the nla_policy, the length of the parameter
QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_BITMAP is set to 128 bytes instead
of 128 bits (16 bytes), causing stack buffer overflow when copied onto
16 bytes stack buffer. To avoid this issue change the parameter length
from 128 bytes to 16 bytes.

Change-Id: I053d3810e3b4942344d7f1a12e365e9cfc71a492
CRs-Fixed: 3342629
Aditya Kodukula 2 years ago
parent
0a8f4239ab
commit
1f276e0631
1 changed files with 5 additions and 3 deletions
Split View Show Diff Stats
  1. 5 3
      core/hdd/src/wlan_hdd_cfg80211.c

+ 5 - 3
core/hdd/src/wlan_hdd_cfg80211.c
View File 

@@ -6576,6 +6576,7 @@ wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
 
 }
 
 
 #define RATEMASK_PARAMS_TYPE_MAX 4
 
+#define RATEMASK_PARAMS_BITMAP_MAX 16
 
 #define RATEMASK_PARAMS_MAX QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_MAX
 
 const struct nla_policy wlan_hdd_set_ratemask_param_policy[
 
 			RATEMASK_PARAMS_MAX + 1] = {
 
@@ -6583,7 +6584,7 @@ const struct nla_policy wlan_hdd_set_ratemask_param_policy[
 
 		VENDOR_NLA_POLICY_NESTED(wlan_hdd_set_ratemask_param_policy),
 
 	[QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_TYPE] = {.type = NLA_U8},
 
 	[QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_BITMAP] = {.type = NLA_BINARY,
 
-							 .len = 128},
 
+					.len = RATEMASK_PARAMS_BITMAP_MAX},
 
 };
 
 
 /**
 
@@ -6605,7 +6606,7 @@ static int hdd_set_ratemask_params(struct hdd_context *hdd_ctx,
 
 	int ret, rem;
 
 	struct config_ratemask_params rate_params[RATEMASK_PARAMS_TYPE_MAX];
 
 	uint8_t ratemask_type, num_ratemask = 0, len;
 
-	uint32_t bitmap[RATEMASK_PARAMS_TYPE_MAX] = {0};
 
+	uint32_t bitmap[RATEMASK_PARAMS_BITMAP_MAX / 4];
 
 
 	ret = wlan_cfg80211_nla_parse(tb,
 
 				      RATEMASK_PARAMS_MAX,
 
@@ -6658,7 +6659,8 @@ static int hdd_set_ratemask_params(struct hdd_context *hdd_ctx,
 
 		}
 
 
 		len = nla_len(tb2[QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_BITMAP]);
 
-		nla_memcpy((void *)bitmap,
 
+		qdf_mem_zero(bitmap, sizeof(bitmap));
 
+		nla_memcpy(bitmap,
 
 			   tb2[QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_BITMAP],
 
 			   len);