qcacld-3.0: Specify a policy when parsing TSF commands

In __wlan_hdd_cfg80211_handle_tsf_cmd(), nla_parse() is called to parse the TSF command attributes. Currently a policy is not specified. This prevents nla_parse() from doing basic validation of the attributes, and in some circumstances could result in a buffer overread. To avoid this issue define an appropriate policy and use it in the invocation of nla_parse(). Change-Id: Ic246cf8cf78b043af38198c301465c088b12184a CRs-Fixed: 2054776
2017-06-02 13:43:36 -07:00
--- a/core/hdd/src/wlan_hdd_tsf.c
+++ b/core/hdd/src/wlan_hdd_tsf.c
@@ -241,6 +241,10 @@ int hdd_get_tsf_cb(void *pcb_cxt, struct stsf *ptsf)
 	return 0;
 }

+static const struct nla_policy tsf_policy[QCA_WLAN_VENDOR_ATTR_TSF_MAX + 1] = {
+	[QCA_WLAN_VENDOR_ATTR_TSF_CMD] = {.type = NLA_U32},
+};
+
 /**
 * __wlan_hdd_cfg80211_handle_tsf_cmd(): Setup TSF operations
 * @wiphy: Pointer to wireless phy
@@ -272,7 +276,7 @@ static int __wlan_hdd_cfg80211_handle_tsf_cmd(struct wiphy *wiphy,
 		return -EINVAL;

 	if (nla_parse(tb_vendor, QCA_WLAN_VENDOR_ATTR_TSF_MAX, data,
-		      data_len, NULL)) {
+		      data_len, tsf_policy)) {
 		hdd_err("Invalid TSF cmd");
 		return -EINVAL;
 	}