qcacld-3.0: Avoid possible OOB access in set trace level

In QCA_NL80211_VENDOR_SUBCMD_SET_TRACE_LEVEL command handler when nested attributes are getting parsed no NLA policy is used, as no NLA policy is defined for MODULE_ID and TRACE_MASK, these attributes will be treated as NLA_UNSPEC types and can have a length of zero bytes. Later when these attributes are accessed using nla_get_u32() this will result in OOB read. Change-Id: I7d4913feccb00877ac5f40bab8ff5e9e3891756f CRs-Fixed: 2410900
2019-03-18 20:23:47 +05:30
commit 69903257ef
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -11144,8 +11144,9 @@ __wlan_hdd_cfg80211_set_trace_level(struct wiphy *wiphy,
 	nla_for_each_nested(apth,
 			tb1[QCA_WLAN_VENDOR_ATTR_SET_TRACE_LEVEL_PARAM], rem) {
 		if (wlan_cfg80211_nla_parse(tb2,
-				       QCA_WLAN_VENDOR_ATTR_SET_TRACE_LEVEL_MAX,
-				       nla_data(apth), nla_len(apth), NULL)) {
+				     QCA_WLAN_VENDOR_ATTR_SET_TRACE_LEVEL_MAX,
+				     nla_data(apth), nla_len(apth),
+				     qca_wlan_vendor_set_trace_level_policy)) {
 			hdd_err("Invalid attr");
 			return -EINVAL;
 		}