Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Fix out of bound access in sta_to_adapter

Array sta_to_adapter of hdd_ctx is accessed from several functions of
NAN and softap without bound check which can lead to out of bound read
or write access.

To fix this, add range check for sta_id.

Change-Id: I0b8c4e8bce26c6514df489c3305000691c7e1fe0
CRs-Fixed: 2456954
Rajeev Kumar Sirasanagandla 5 years ago
parent
2c3e85f2ee
commit
7172b499a6
3 changed files with 66 additions and 17 deletions
Split View Show Diff Stats
  1. 39 11
      core/hdd/src/wlan_hdd_nan_datapath.c
  2. 5 0
      core/hdd/src/wlan_hdd_ocb.c
  3. 22 6
      core/hdd/src/wlan_hdd_softap_tx_rx.c

+ 39 - 11
core/hdd/src/wlan_hdd_nan_datapath.c
View File 

@@ -624,6 +624,7 @@ int hdd_ndi_delete(uint8_t vdev_id, char *iface_name, uint16_t transaction_id)
 
 	struct hdd_adapter *adapter;
 
 	struct hdd_station_ctx *sta_ctx;
 
 	struct hdd_context *hdd_ctx = cds_get_context(QDF_MODULE_ID_HDD);
 
+	uint8_t sta_id;
 
 
 	if (!hdd_ctx) {
 
 		hdd_err("hdd_ctx is null");
 
@@ -643,8 +644,14 @@ int hdd_ndi_delete(uint8_t vdev_id, char *iface_name, uint16_t transaction_id)
 
 		return -EINVAL;
 
 	}
 
 
+	sta_id = sta_ctx->broadcast_sta_id;
 
+	if (sta_id >= HDD_MAX_ADAPTERS) {
 
+		hdd_err("Error: Invalid sta id %u", sta_id);
 
+		return -EINVAL;
 
+	}
 
+
 
 	/* Since, the interface is being deleted, remove the broadcast id. */
 
-	hdd_ctx->sta_to_adapter[sta_ctx->broadcast_sta_id] = 0;
 
+	hdd_ctx->sta_to_adapter[sta_id] = NULL;
 
 	sta_ctx->broadcast_sta_id = HDD_WLAN_INVALID_STA_ID;
 
 
 	os_if_nan_set_ndp_delete_transaction_id(adapter->vdev,
 
@@ -670,6 +677,7 @@ void hdd_ndi_drv_ndi_create_rsp_handler(uint8_t vdev_id,
 
 	struct csr_roam_info *roam_info;
 
 	struct bss_description tmp_bss_descp = {0};
 
 	struct qdf_mac_addr bc_mac_addr = QDF_MAC_ADDR_BCAST_INIT;
 
+	uint8_t sta_id;
 
 
 	hdd_ctx = cds_get_context(QDF_MODULE_ID_HDD);
 
 	if (!hdd_ctx) {
 
@@ -689,6 +697,12 @@ void hdd_ndi_drv_ndi_create_rsp_handler(uint8_t vdev_id,
 
 		return;
 
 	}
 
 
+	sta_id = ndi_rsp->sta_id;
 
+	if (sta_id >= HDD_MAX_ADAPTERS) {
 
+		hdd_err("Error: Invalid sta id %u", sta_id);
 
+		return;
 
+	}
 
+
 
 	roam_info = qdf_mem_malloc(sizeof(*roam_info));
 
 	if (!roam_info)
 
 		return;
 
@@ -706,12 +720,11 @@ void hdd_ndi_drv_ndi_create_rsp_handler(uint8_t vdev_id,
 
 			ndi_rsp->reason /* create_reason */);
 
 	}
 
 
-	sta_ctx->broadcast_sta_id = ndi_rsp->sta_id;
 
-	hdd_save_peer(sta_ctx, sta_ctx->broadcast_sta_id, &bc_mac_addr);
 
-	hdd_roam_register_sta(adapter, roam_info,
 
-			      sta_ctx->broadcast_sta_id,
 
-			      &tmp_bss_descp);
 
-	hdd_ctx->sta_to_adapter[sta_ctx->broadcast_sta_id] = adapter;
 
+	sta_ctx->broadcast_sta_id = sta_id;
 
+	hdd_save_peer(sta_ctx, sta_id, &bc_mac_addr);
 
+	hdd_roam_register_sta(adapter, roam_info, sta_id, &tmp_bss_descp);
 
+	hdd_ctx->sta_to_adapter[sta_id] = adapter;
 
+
 
 	qdf_mem_free(roam_info);
 
 }
 
 
@@ -740,6 +753,7 @@ void hdd_ndi_drv_ndi_delete_rsp_handler(uint8_t vdev_id)
 
 	struct hdd_context *hdd_ctx;
 
 	struct hdd_adapter *adapter;
 
 	struct hdd_station_ctx *sta_ctx;
 
+	uint8_t sta_id;
 
 
 	hdd_ctx = cds_get_context(QDF_MODULE_ID_HDD);
 
 	if (!hdd_ctx) {
 
@@ -759,10 +773,13 @@ void hdd_ndi_drv_ndi_delete_rsp_handler(uint8_t vdev_id)
 
 		return;
 
 	}
 
 
-	hdd_ctx->sta_to_adapter[sta_ctx->broadcast_sta_id] = NULL;
 
-	hdd_roam_deregister_sta(adapter, sta_ctx->broadcast_sta_id);
 
-	hdd_delete_peer(sta_ctx, sta_ctx->broadcast_sta_id);
 
-	sta_ctx->broadcast_sta_id = HDD_WLAN_INVALID_STA_ID;
 
+	sta_id = sta_ctx->broadcast_sta_id;
 
+	if (sta_id < HDD_MAX_ADAPTERS) {
 
+		hdd_ctx->sta_to_adapter[sta_id] = NULL;
 
+		hdd_roam_deregister_sta(adapter, sta_id);
 
+		hdd_delete_peer(sta_ctx, sta_id);
 
+		sta_ctx->broadcast_sta_id = HDD_WLAN_INVALID_STA_ID;
 
+	}
 
 
 	wlan_hdd_netif_queue_control(adapter,
 
 				     WLAN_STOP_ALL_NETIF_QUEUE_N_CARRIER,
 
@@ -812,6 +829,11 @@ int hdd_ndp_new_peer_handler(uint8_t vdev_id, uint16_t sta_id,
 
 		return -EINVAL;
 
 	}
 
 
+	if (sta_id >= HDD_MAX_ADAPTERS) {
 
+		hdd_err("Error: Invalid sta_id: %u", sta_id);
 
+		return -EINVAL;
 
+	}
 
+
 
 	/* save peer in ndp ctx */
 
 	if (false == hdd_save_peer(sta_ctx, sta_id, peer_mac_addr)) {
 
 		hdd_err("Ndp peer table full. cannot save new peer");
 
@@ -873,6 +895,11 @@ void hdd_ndp_peer_departed_handler(uint8_t vdev_id, uint16_t sta_id,
 
 		return;
 
 	}
 
 
+	if (sta_id >= HDD_MAX_ADAPTERS) {
 
+		hdd_err("Error: Invalid sta_id: %u", sta_id);
 
+		return;
 
+	}
 
+
 
 	hdd_roam_deregister_sta(adapter, sta_id);
 
 	hdd_delete_peer(sta_ctx, sta_id);
 
 	hdd_ctx->sta_to_adapter[sta_id] = NULL;
 
@@ -886,5 +913,6 @@ void hdd_ndp_peer_departed_handler(uint8_t vdev_id, uint16_t sta_id,
 
 		wlan_hdd_netif_queue_control(adapter, WLAN_STOP_ALL_NETIF_QUEUE,
 
 					     WLAN_CONTROL_PATH);
 
 	}
 
+
 
 	hdd_exit();
 
 }

+ 5 - 0
core/hdd/src/wlan_hdd_ocb.c
View File 

@@ -232,6 +232,11 @@ static int hdd_ocb_register_sta(struct hdd_adapter *adapter)
 
 		return -EINVAL;
 
 	}
 
 
+	if (peer_id >= HDD_MAX_ADAPTERS) {
 
+		hdd_err("Error: Invalid peer_id: %u", peer_id);
 
+		return -EINVAL;
 
+	}
 
+
 
 	hdd_ctx->sta_to_adapter[peer_id] = adapter;
 
 
 	sta_desc.sta_id = peer_id;

+ 22 - 6
core/hdd/src/wlan_hdd_softap_tx_rx.c
View File 

@@ -976,6 +976,12 @@ QDF_STATUS hdd_softap_deregister_sta(struct hdd_adapter *adapter,
 
 	}
 
 
 	hdd_ctx = WLAN_HDD_GET_CTX(adapter);
 
+
 
+	if (sta_id >= HDD_MAX_ADAPTERS) {
 
+		hdd_err("Error: Invalid sta_id: %u", sta_id);
 
+		return QDF_STATUS_E_INVAL;
 
+	}
 
+
 
 	/* Clear station in TL and then update HDD data
 
 	 * structures. This helps to block RX frames from other
 
 	 * station to this station.
 
@@ -1029,6 +1035,11 @@ QDF_STATUS hdd_softap_register_sta(struct hdd_adapter *adapter,
 
 	hdd_info("STA:%u, Auth:%u, Priv:%u, WMM:%u",
 
 		 sta_id, auth_required, privacy_required, wmm_enabled);
 
 
+	if (sta_id >= HDD_MAX_ADAPTERS) {
 
+		hdd_err("Error: Invalid sta_id: %u", sta_id);
 
+		return qdf_status;
 
+	}
 
+
 
 	/*
 
 	 * Clean up old entry if it is not cleaned up properly
 
 	 */
 
@@ -1140,15 +1151,20 @@ QDF_STATUS hdd_softap_register_bc_sta(struct hdd_adapter *adapter,
 
 	struct hdd_context *hdd_ctx = WLAN_HDD_GET_CTX(adapter);
 
 	struct qdf_mac_addr broadcast_macaddr = QDF_MAC_ADDR_BCAST_INIT;
 
 	struct hdd_ap_ctx *ap_ctx;
 
+	uint8_t sta_id;
 
 
 	ap_ctx = WLAN_HDD_GET_AP_CTX_PTR(adapter);
 
+	sta_id = ap_ctx->broadcast_sta_id;
 
 
-	hdd_ctx->sta_to_adapter[WLAN_RX_BCMC_STA_ID] = adapter;
 
-	hdd_ctx->sta_to_adapter[ap_ctx->broadcast_sta_id] = adapter;
 
-	qdf_status =
 
-		hdd_softap_register_sta(adapter, false, privacy_required,
 
-					ap_ctx->broadcast_sta_id,
 
-					&broadcast_macaddr, 0);
 
+	if (sta_id >= HDD_MAX_ADAPTERS) {
 
+		hdd_err("Error: Invalid sta_id: %u", sta_id);
 
+		return qdf_status;
 
+	}
 
+
 
+	hdd_ctx->sta_to_adapter[sta_id] = adapter;
 
+	qdf_status = hdd_softap_register_sta(adapter, false,
 
+					     privacy_required, sta_id,
 
+					     &broadcast_macaddr, 0);
 
 
 	return qdf_status;
 
 }