samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Avoid buffer overread when retrieving cnss diag cmd

Browse Source 
In cnss_diag_cmd_handler(), add length check for the command attribute.
This prevents possibility of a buffer overread or underrun.
Also add audit comment to express the intent why policy table
is not used in this API.

Change-Id: I023bbf3789498f315fd1bff8db8ef8257abb2b04
CRs-Fixed: 2058580
This commit is contained in:
Tushnim Bhattacharyya
2017-06-06 17:18:30 -07:00
committed by snandini
parent 64c3d8438f
commit 3db6b3cc4e
1 changed files with 10 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
utils/fwlog/dbglog_host.c
View File

@@ -4161,6 +4161,10 @@ static void cnss_diag_cmd_handler(const void *data, int data_len,
struct dbglog_slot *slot = NULL; struct dbglog_slot *slot = NULL;
struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_MAX + 1]; struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_MAX + 1];
/*
* audit note: it is ok to pass a NULL policy here since a
* length check on the data is added later already
*/
if (nla_parse(tb, CLD80211_ATTR_MAX, data, data_len, NULL)) { if (nla_parse(tb, CLD80211_ATTR_MAX, data, data_len, NULL)) {
AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: nla parse fails \n", AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: nla parse fails \n",
__func__)); __func__));
@@ -4172,6 +4176,12 @@ static void cnss_diag_cmd_handler(const void *data, int data_len,
__func__)); __func__));
return; return;
} }
if (nla_len(tb[CLD80211_ATTR_DATA]) != sizeof(struct dbglog_slot)) {
AR_DEBUG_PRINTF(ATH_DEBUG_ERR, ("%s: attr length check fails\n",
__func__));
return;
}
slot = (struct dbglog_slot *)nla_data(tb[CLD80211_ATTR_DATA]); slot = (struct dbglog_slot *)nla_data(tb[CLD80211_ATTR_DATA]);
if (!slot) { if (!slot) {