qcacld-3.0: Add length sanity check in iw_set_keepalive_params
Propagation from qcacld-2.0 to qcacld-3.0 Add length sanity check in iw_set_keepalive_params to avoid stack over flow. Change-Id: If59794d1b5f8efad2fe54844fab0e7cea9b1b983 CRs-Fixed: 932466
Dieser Commit ist enthalten in:
Rajeev Kumar
committet von
Prakash Dhavali
Prakash Dhavali
Ursprung
56951330f8
Commit
3ddf1c639f
@@ -283,16 +283,6 @@ typedef struct ccp_freq_chan_map_s {
|
||||
#define WLAN_KEEP_ALIVE_UNSOLICIT_ARP_RSP 2
|
||||
#define WLAN_KEEP_ALIVE_NULL_PKT 1
|
||||
|
||||
/* Offload request. */
|
||||
typedef struct {
|
||||
uint8_t packetType;
|
||||
uint32_t timePeriod;
|
||||
uint8_t hostIpv4Addr[4];
|
||||
uint8_t destIpv4Addr[4];
|
||||
uint8_t destMacAddr[ETH_ALEN];
|
||||
uint8_t bssIdx;
|
||||
} tKeepAliveRequest, *tpKeepAliveRequest;
|
||||
|
||||
#define wlan_hdd_get_wps_ie_ptr(ie, ie_len) \
|
||||
wlan_hdd_get_vendor_oui_ie_ptr(WPS_OUI_TYPE, WPS_OUI_TYPE_SIZE, ie, ie_len)
|
||||
|
||||
|
||||
@@ -8434,8 +8434,7 @@ static int __iw_set_keepalive_params(struct net_device *dev,
|
||||
union iwreq_data *wrqu, char *extra)
|
||||
{
|
||||
hdd_adapter_t *pAdapter = WLAN_HDD_GET_PRIV_PTR(dev);
|
||||
tpKeepAliveRequest pRequest = (tpKeepAliveRequest) extra;
|
||||
tSirKeepAliveReq keepaliveRequest;
|
||||
tpSirKeepAliveReq request = (tpSirKeepAliveReq) extra;
|
||||
hdd_context_t *hdd_ctx;
|
||||
int ret;
|
||||
|
||||
@@ -8444,61 +8443,51 @@ static int __iw_set_keepalive_params(struct net_device *dev,
|
||||
if (0 != ret)
|
||||
return ret;
|
||||
|
||||
if (pRequest->timePeriod > WNI_CFG_INFRA_STA_KEEP_ALIVE_PERIOD_STAMAX) {
|
||||
hddLog(LOGE, FL("Value of timePeriod %d exceed Max limit %d"),
|
||||
pRequest->timePeriod,
|
||||
if (wrqu->data.length != sizeof(*request)) {
|
||||
hdd_err("Invalid length %d", wrqu->data.length);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (request->timePeriod > WNI_CFG_INFRA_STA_KEEP_ALIVE_PERIOD_STAMAX) {
|
||||
hdd_err("Value of timePeriod %d exceed Max limit %d",
|
||||
request->timePeriod,
|
||||
WNI_CFG_INFRA_STA_KEEP_ALIVE_PERIOD_STAMAX);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
/* Debug display of request components. */
|
||||
hddLog(CDF_TRACE_LEVEL_INFO,
|
||||
"%s: Set Keep Alive Request : TimePeriod %d size %zu",
|
||||
__func__, pRequest->timePeriod, sizeof(tKeepAliveRequest));
|
||||
hdd_info("Set Keep Alive Request : TimePeriod %d size %zu",
|
||||
request->timePeriod, sizeof(tSirKeepAliveReq));
|
||||
|
||||
switch (pRequest->packetType) {
|
||||
switch (request->packetType) {
|
||||
case WLAN_KEEP_ALIVE_NULL_PKT:
|
||||
hddLog(CDF_TRACE_LEVEL_WARN, "%s: Keep Alive Request: Tx NULL",
|
||||
__func__);
|
||||
hdd_info("Keep Alive Request: Tx NULL");
|
||||
break;
|
||||
|
||||
case WLAN_KEEP_ALIVE_UNSOLICIT_ARP_RSP:
|
||||
hddLog(CDF_TRACE_LEVEL_INFO_HIGH,
|
||||
"%s: Keep Alive Request: Tx UnSolicited ARP RSP",
|
||||
__func__);
|
||||
hdd_info("Keep Alive Request: Tx UnSolicited ARP RSP");
|
||||
|
||||
hddLog(CDF_TRACE_LEVEL_WARN, " Host IP address: %d.%d.%d.%d",
|
||||
pRequest->hostIpv4Addr[0], pRequest->hostIpv4Addr[1],
|
||||
pRequest->hostIpv4Addr[2], pRequest->hostIpv4Addr[3]);
|
||||
hdd_info("Host IP address: %d.%d.%d.%d",
|
||||
request->hostIpv4Addr[0], request->hostIpv4Addr[1],
|
||||
request->hostIpv4Addr[2], request->hostIpv4Addr[3]);
|
||||
|
||||
hddLog(CDF_TRACE_LEVEL_WARN, " Dest IP address: %d.%d.%d.%d",
|
||||
pRequest->destIpv4Addr[0], pRequest->destIpv4Addr[1],
|
||||
pRequest->destIpv4Addr[2], pRequest->destIpv4Addr[3]);
|
||||
hdd_info("Dest IP address: %d.%d.%d.%d",
|
||||
request->destIpv4Addr[0], request->destIpv4Addr[1],
|
||||
request->destIpv4Addr[2], request->destIpv4Addr[3]);
|
||||
|
||||
hddLog(CDF_TRACE_LEVEL_WARN,
|
||||
" Dest MAC address: %d:%d:%d:%d:%d:%d",
|
||||
pRequest->destMacAddr[0], pRequest->destMacAddr[1],
|
||||
pRequest->destMacAddr[2], pRequest->destMacAddr[3],
|
||||
pRequest->destMacAddr[4], pRequest->destMacAddr[5]);
|
||||
hdd_info("Dest MAC address: %d:%d:%d:%d:%d:%d",
|
||||
request->destMacAddr[0], request->destMacAddr[1],
|
||||
request->destMacAddr[2], request->destMacAddr[3],
|
||||
request->destMacAddr[4], request->destMacAddr[5]);
|
||||
break;
|
||||
}
|
||||
|
||||
/* Execute keep alive request. The reason that we can copy the
|
||||
* request information from the ioctl structure to the SME
|
||||
* structure is that they are laid out exactly the same.
|
||||
* Otherwise, each piece of information would have to be
|
||||
* copied individually.
|
||||
*/
|
||||
memcpy(&keepaliveRequest, pRequest, wrqu->data.length);
|
||||
|
||||
hddLog(CDF_TRACE_LEVEL_ERROR, "set Keep: TP before SME %d",
|
||||
keepaliveRequest.timePeriod);
|
||||
hdd_info("Keep alive period %d", request->timePeriod);
|
||||
|
||||
if (CDF_STATUS_SUCCESS !=
|
||||
sme_set_keep_alive(WLAN_HDD_GET_HAL_CTX(pAdapter),
|
||||
pAdapter->sessionId, &keepaliveRequest)) {
|
||||
hddLog(CDF_TRACE_LEVEL_ERROR,
|
||||
"%s: Failure to execute Keep Alive", __func__);
|
||||
pAdapter->sessionId, request)) {
|
||||
hdd_err("Failure to execute Keep Alive");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
@@ -10559,7 +10548,7 @@ static const struct iw_priv_args we_private_args[] = {
|
||||
|
||||
{
|
||||
WLAN_SET_KEEPALIVE_PARAMS,
|
||||
IW_PRIV_TYPE_BYTE | WE_MAX_STR_LEN,
|
||||
sizeof(tSirKeepAliveReq) | IW_PRIV_SIZE_FIXED,
|
||||
0,
|
||||
"setKeepAlive"
|
||||
}
|
||||
|
||||
In neuem Issue referenzieren
Einen Benutzer sperren