samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull-Requests Actions Pakete Projekte Releases Wiki Aktivität

qcacld-3.0: Fix set_ratemask policy to avoid stack overflow

Quellcode durchsuchen 
Currently in the function hdd_set_ratemask_params, which handles
requests for the vendor command QCA_NL80211_VENDOR_SUBCMD_RATEMASK_CONFIG,
parses the attributes according to the wlan_hdd_set_ratemask_param_policy,
and copies them into the struct config_ratemask_params.

But in the nla_policy, the length of the parameter
QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_BITMAP is set to 128 bytes instead
of 128 bits (16 bytes), causing stack buffer overflow when copied onto
16 bytes stack buffer. To avoid this issue change the parameter length
from 128 bytes to 16 bytes.

Change-Id: I053d3810e3b4942344d7f1a12e365e9cfc71a492
CRs-Fixed: 3342629
Dieser Commit ist enthalten in:
Aditya Kodukula
2022-11-21 13:04:26 -08:00
committet von Madan Koyyalamudi
Ursprung 0a8f4239ab
Commit 1f276e0631
1 geänderte Dateien mit 5 neuen und 3 gelöschten Zeilen
Patch-Datei herunterladen Vergleichs-Datei herunterladen Alle Dateien ausklappen Alle Dateien einklappen

8
core/hdd/src/wlan_hdd_cfg80211.c
Datei anzeigen

@@ -6576,6 +6576,7 @@ wlan_hdd_cfg80211_set_ext_roam_params(struct wiphy *wiphy,
}
#define RATEMASK_PARAMS_TYPE_MAX 4
#define RATEMASK_PARAMS_BITMAP_MAX 16
#define RATEMASK_PARAMS_MAX QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_MAX
const struct nla_policy wlan_hdd_set_ratemask_param_policy[
RATEMASK_PARAMS_MAX + 1] = {
@@ -6583,7 +6584,7 @@ const struct nla_policy wlan_hdd_set_ratemask_param_policy[
VENDOR_NLA_POLICY_NESTED(wlan_hdd_set_ratemask_param_policy),
[QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_TYPE] = {.type = NLA_U8},
[QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_BITMAP] = {.type = NLA_BINARY,
.len = 128},
.len = RATEMASK_PARAMS_BITMAP_MAX},
};
/**
@@ -6605,7 +6606,7 @@ static int hdd_set_ratemask_params(struct hdd_context *hdd_ctx,
int ret, rem;
struct config_ratemask_params rate_params[RATEMASK_PARAMS_TYPE_MAX];
uint8_t ratemask_type, num_ratemask = 0, len;
uint32_t bitmap[RATEMASK_PARAMS_TYPE_MAX] = {0};
uint32_t bitmap[RATEMASK_PARAMS_BITMAP_MAX / 4];
ret = wlan_cfg80211_nla_parse(tb,
RATEMASK_PARAMS_MAX,
@@ -6658,7 +6659,8 @@ static int hdd_set_ratemask_params(struct hdd_context *hdd_ctx,
}
len = nla_len(tb2[QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_BITMAP]);
nla_memcpy((void *)bitmap,
qdf_mem_zero(bitmap, sizeof(bitmap));
nla_memcpy(bitmap,
tb2[QCA_WLAN_VENDOR_ATTR_RATEMASK_PARAMS_BITMAP],
len);