samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Avoid possible OOB access in set trace level

Browse Source 
In QCA_NL80211_VENDOR_SUBCMD_SET_TRACE_LEVEL command handler
when nested attributes are getting parsed no NLA policy is
used, as no NLA policy is defined for MODULE_ID and TRACE_MASK,
these attributes will be treated as NLA_UNSPEC types and can
have a length of zero bytes. Later when these attributes
are accessed using nla_get_u32() this will result in OOB
read.

Change-Id: I7d4913feccb00877ac5f40bab8ff5e9e3891756f
CRs-Fixed: 2410900
This commit is contained in:
Ashish Kumar Dhanotiya
2019-03-18 20:23:47 +05:30
committed by nshrivas
parent 1d28d35436
commit 69903257ef
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
core/hdd/src/wlan_hdd_cfg80211.c
View File

@@ -11145,7 +11145,8 @@ __wlan_hdd_cfg80211_set_trace_level(struct wiphy *wiphy,
tb1[QCA_WLAN_VENDOR_ATTR_SET_TRACE_LEVEL_PARAM], rem) { tb1[QCA_WLAN_VENDOR_ATTR_SET_TRACE_LEVEL_PARAM], rem) {
if (wlan_cfg80211_nla_parse(tb2, if (wlan_cfg80211_nla_parse(tb2,
QCA_WLAN_VENDOR_ATTR_SET_TRACE_LEVEL_MAX, QCA_WLAN_VENDOR_ATTR_SET_TRACE_LEVEL_MAX,
nla_data(apth), nla_len(apth), NULL)) { nla_data(apth), nla_len(apth),
qca_wlan_vendor_set_trace_level_policy)) {
hdd_err("Invalid attr"); hdd_err("Invalid attr");
return -EINVAL; return -EINVAL;
} }