From 7b5cffe84f2c16ab8957e2cac5a395cd378c11b4 Mon Sep 17 00:00:00 2001
From: Naveen Rawat <naveenrawat@codeaurora.org>
Date: Thu, 21 Dec 2017 11:30:40 -0800
Subject: [PATCH] qcacmn: Avoid null pointer dereference and OOB access

Avoid possible null pointer dereferece and out of bound access
in NAN component.

Change-Id: I40ba4e340e34e8975c782c0a6329322e3c151326
CRs-Fixed: 2160751
---
 os_if/linux/nan/src/os_if_nan.c               | 99 +++++++++++++------
 .../obj_mgr/inc/wlan_objmgr_vdev_obj.h        |  3 +-
 umac/cmn_services/utils/inc/wlan_utility.h    | 12 ++-
 umac/cmn_services/utils/src/wlan_utility.c    | 32 +++++-
 umac/nan/dispatcher/src/nan_ucfg_api.c        | 10 +-
 5 files changed, 116 insertions(+), 40 deletions(-)

diff --git a/os_if/linux/nan/src/os_if_nan.c b/os_if/linux/nan/src/os_if_nan.c
index 1f2269a2c4..23b86fb014 100644
--- a/os_if/linux/nan/src/os_if_nan.c
+++ b/os_if/linux/nan/src/os_if_nan.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -772,12 +772,14 @@ ndp_responder_rsp_nla_failed:
 static void os_if_ndp_indication_handler(struct wlan_objmgr_vdev *vdev,
 				struct nan_datapath_indication_event *event)
 {
+	uint8_t *ifname;
 	uint16_t data_len;
+	uint8_t ifname_len;
 	uint32_t ndp_qos_config;
 	struct sk_buff *vendor_event;
+	enum nan_datapath_state state;
 	struct wlan_objmgr_pdev *pdev = wlan_vdev_get_pdev(vdev);
 	struct pdev_osif_priv *os_priv = wlan_pdev_get_ospriv(pdev);
-	enum nan_datapath_state state;
 
 	if (!event) {
 		cfg80211_err("Invalid NDP Indication");
@@ -796,9 +798,20 @@ static void os_if_ndp_indication_handler(struct wlan_objmgr_vdev *vdev,
 		return;
 	}
 
-	data_len = (5 * sizeof(uint32_t)) + (2 * QDF_MAC_ADDR_SIZE) + IFNAMSIZ +
-		event->ndp_info.ndp_app_info_len + event->scid.scid_len +
-		(10 * NLA_HDRLEN) + NLMSG_HDRLEN;
+	ifname = wlan_util_vdev_get_if_name(vdev);
+	if (!ifname) {
+		cfg80211_err("ifname is null");
+		return;
+	}
+	ifname_len = qdf_str_len(ifname);
+	if (ifname_len > IFNAMSIZ) {
+		cfg80211_err("ifname(%d) too long", ifname_len);
+		return;
+	}
+
+	data_len = (5 * sizeof(uint32_t)) + (2 * QDF_MAC_ADDR_SIZE) +
+		ifname_len + event->ndp_info.ndp_app_info_len +
+		event->scid.scid_len + (10 * NLA_HDRLEN) + NLMSG_HDRLEN;
 
 	/* notify response to the upper layer */
 	vendor_event = cfg80211_vendor_event_alloc(os_priv->wiphy,
@@ -811,44 +824,44 @@ static void os_if_ndp_indication_handler(struct wlan_objmgr_vdev *vdev,
 	}
 
 	if (nla_put_u32(vendor_event, QCA_WLAN_VENDOR_ATTR_NDP_SUBCMD,
-	   QCA_WLAN_VENDOR_ATTR_NDP_REQUEST_IND))
+			QCA_WLAN_VENDOR_ATTR_NDP_REQUEST_IND))
 		goto ndp_indication_nla_failed;
 
 	if (nla_put(vendor_event, QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR,
-	   IFNAMSIZ, "nan0"/* adapter->dev->name - fetch dev name */))
+		    ifname_len, ifname))
 		goto ndp_indication_nla_failed;
 
 	if (nla_put_u32(vendor_event,
-	   QCA_WLAN_VENDOR_ATTR_NDP_SERVICE_INSTANCE_ID,
-	   event->service_instance_id))
+			QCA_WLAN_VENDOR_ATTR_NDP_SERVICE_INSTANCE_ID,
+			event->service_instance_id))
 		goto ndp_indication_nla_failed;
 
 	if (nla_put(vendor_event,
-	   QCA_WLAN_VENDOR_ATTR_NDP_NDI_MAC_ADDR,
-	   QDF_MAC_ADDR_SIZE, event->peer_mac_addr.bytes))
+		    QCA_WLAN_VENDOR_ATTR_NDP_NDI_MAC_ADDR,
+		    QDF_MAC_ADDR_SIZE, event->peer_mac_addr.bytes))
 		goto ndp_indication_nla_failed;
 
 	if (nla_put(vendor_event,
-	   QCA_WLAN_VENDOR_ATTR_NDP_PEER_DISCOVERY_MAC_ADDR,
-	   QDF_MAC_ADDR_SIZE, event->peer_discovery_mac_addr.bytes))
+		    QCA_WLAN_VENDOR_ATTR_NDP_PEER_DISCOVERY_MAC_ADDR,
+		    QDF_MAC_ADDR_SIZE, event->peer_discovery_mac_addr.bytes))
 		goto ndp_indication_nla_failed;
 
 	if (nla_put_u32(vendor_event, QCA_WLAN_VENDOR_ATTR_NDP_INSTANCE_ID,
-	   event->ndp_instance_id))
+			event->ndp_instance_id))
 		goto ndp_indication_nla_failed;
 
 	if (event->ndp_info.ndp_app_info_len)
 		if (nla_put(vendor_event, QCA_WLAN_VENDOR_ATTR_NDP_APP_INFO,
-		   event->ndp_info.ndp_app_info_len,
-		   event->ndp_info.ndp_app_info))
+			    event->ndp_info.ndp_app_info_len,
+			    event->ndp_info.ndp_app_info))
 			goto ndp_indication_nla_failed;
 
 	if (event->ndp_config.ndp_cfg_len) {
 		ndp_qos_config = *((uint32_t *)event->ndp_config.ndp_cfg);
 		/* at present ndp config stores 4 bytes QOS info only */
 		if (nla_put_u32(vendor_event,
-		   QCA_WLAN_VENDOR_ATTR_NDP_CONFIG_QOS,
-		   ndp_qos_config))
+				QCA_WLAN_VENDOR_ATTR_NDP_CONFIG_QOS,
+				ndp_qos_config))
 			goto ndp_indication_nla_failed;
 	}
 
@@ -859,15 +872,15 @@ static void os_if_ndp_indication_handler(struct wlan_objmgr_vdev *vdev,
 			goto ndp_indication_nla_failed;
 
 		if (nla_put(vendor_event, QCA_WLAN_VENDOR_ATTR_NDP_SCID,
-				event->scid.scid_len,
-				event->scid.scid))
+			    event->scid.scid_len,
+			    event->scid.scid))
 			goto ndp_indication_nla_failed;
 
 		cfg80211_debug("csid: %d, scid_len: %d",
-			event->ncs_sk_type, event->scid.scid_len);
+			       event->ncs_sk_type, event->scid.scid_len);
 
 		QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_HDD, QDF_TRACE_LEVEL_DEBUG,
-				event->scid.scid, event->scid.scid_len);
+				   event->scid.scid, event->scid.scid_len);
 	}
 
 	cfg80211_vendor_event(vendor_event, GFP_ATOMIC);
@@ -898,8 +911,10 @@ static void os_if_ndp_confirm_ind_handler(struct wlan_objmgr_vdev *vdev,
 				struct nan_datapath_confirm_event *ndp_confirm)
 {
 	int idx = 0;
+	uint8_t *ifname;
 	uint32_t data_len;
 	QDF_STATUS status;
+	uint8_t ifname_len;
 	uint32_t ndp_qos_config = 0;
 	struct sk_buff *vendor_event;
 	struct wlan_objmgr_pdev *pdev = wlan_vdev_get_pdev(vdev);
@@ -933,7 +948,18 @@ static void os_if_ndp_confirm_ind_handler(struct wlan_objmgr_vdev *vdev,
 						 idx);
 	}
 
-	data_len = (4 * sizeof(uint32_t)) + QDF_MAC_ADDR_SIZE + IFNAMSIZ +
+	ifname = wlan_util_vdev_get_if_name(vdev);
+	if (!ifname) {
+		cfg80211_err("ifname is null");
+		return;
+	}
+	ifname_len = qdf_str_len(ifname);
+	if (ifname_len > IFNAMSIZ) {
+		cfg80211_err("ifname(%d) too long", ifname_len);
+		return;
+	}
+
+	data_len = (4 * sizeof(uint32_t)) + QDF_MAC_ADDR_SIZE + ifname_len +
 			+ NLMSG_HDRLEN + (7 * NLA_HDRLEN) +
 			ndp_confirm->ndp_info.ndp_app_info_len;
 
@@ -957,14 +983,15 @@ static void os_if_ndp_confirm_ind_handler(struct wlan_objmgr_vdev *vdev,
 		goto ndp_confirm_nla_failed;
 
 	if (nla_put(vendor_event, QCA_WLAN_VENDOR_ATTR_NDP_NDI_MAC_ADDR,
-		QDF_MAC_ADDR_SIZE, ndp_confirm->peer_ndi_mac_addr.bytes))
+		    QDF_MAC_ADDR_SIZE, ndp_confirm->peer_ndi_mac_addr.bytes))
 		goto ndp_confirm_nla_failed;
 
 	if (nla_put(vendor_event, QCA_WLAN_VENDOR_ATTR_NDP_IFACE_STR,
-		    IFNAMSIZ, "nan0" /* TBD adapter->dev->name - fetch name */))
+		    ifname_len, ifname))
 		goto ndp_confirm_nla_failed;
 
-	if (ndp_confirm->ndp_info.ndp_app_info_len && nla_put(vendor_event,
+	if (ndp_confirm->ndp_info.ndp_app_info_len &&
+		nla_put(vendor_event,
 			QCA_WLAN_VENDOR_ATTR_NDP_APP_INFO,
 			ndp_confirm->ndp_info.ndp_app_info_len,
 			ndp_confirm->ndp_info.ndp_app_info))
@@ -982,10 +1009,10 @@ static void os_if_ndp_confirm_ind_handler(struct wlan_objmgr_vdev *vdev,
 
 	cfg80211_vendor_event(vendor_event, GFP_ATOMIC);
 	cfg80211_debug("NDP confim sent, ndp instance id: %d, peer addr: %pM, ndp_cfg: %d, rsp_code: %d, reason_code: %d",
-		ndp_confirm->ndp_instance_id,
-		ndp_confirm->peer_ndi_mac_addr.bytes,
-		ndp_qos_config, ndp_confirm->rsp_code,
-		ndp_confirm->reason_code);
+		       ndp_confirm->ndp_instance_id,
+		       ndp_confirm->peer_ndi_mac_addr.bytes,
+		       ndp_qos_config, ndp_confirm->rsp_code,
+		       ndp_confirm->reason_code);
 
 	cfg80211_debug("NDP confim, ndp app info dump");
 	QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_HDD, QDF_TRACE_LEVEL_DEBUG,
@@ -1352,7 +1379,7 @@ static void os_if_ndp_iface_create_rsp_handler(struct wlan_objmgr_psoc *psoc,
 						  ndi_rsp);
 	} else {
 		cfg80211_err("NDI interface creation failed with reason %d",
-				ndi_rsp->reason);
+			     create_reason);
 		goto close_ndi;
 	}
 
@@ -1463,6 +1490,11 @@ void os_if_nan_post_ndi_create_rsp(struct wlan_objmgr_psoc *psoc,
 	struct wlan_objmgr_vdev *vdev = wlan_objmgr_get_vdev_by_id_from_psoc(
 						psoc, vdev_id, WLAN_NAN_ID);
 
+	if (!vdev) {
+		cfg80211_err("vdev is null");
+		return;
+	}
+
 	if (success) {
 		rsp.status = NAN_DATAPATH_RSP_STATUS_SUCCESS;
 		rsp.reason = 0;
@@ -1483,6 +1515,11 @@ void os_if_nan_post_ndi_delete_rsp(struct wlan_objmgr_psoc *psoc,
 	struct nan_datapath_inf_delete_rsp rsp = {0};
 	struct wlan_objmgr_vdev *vdev = wlan_objmgr_get_vdev_by_id_from_psoc(
 						psoc, vdev_id, WLAN_NAN_ID);
+	if (!vdev) {
+		cfg80211_err("vdev is null");
+		return;
+	}
+
 	if (success) {
 		rsp.status = NAN_DATAPATH_RSP_STATUS_SUCCESS;
 		rsp.reason = 0;
diff --git a/umac/cmn_services/obj_mgr/inc/wlan_objmgr_vdev_obj.h b/umac/cmn_services/obj_mgr/inc/wlan_objmgr_vdev_obj.h
index 6af39807da..0d514a7c25 100644
--- a/umac/cmn_services/obj_mgr/inc/wlan_objmgr_vdev_obj.h
+++ b/umac/cmn_services/obj_mgr/inc/wlan_objmgr_vdev_obj.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2016-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2016-2018 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -1457,4 +1457,5 @@ static inline uint16_t wlan_vdev_get_max_peer_count(
  * Return: true in case success else false
  */
 bool wlan_vdev_is_connected(struct wlan_objmgr_vdev *vdev);
+
 #endif /* _WLAN_OBJMGR_VDEV_OBJ_H_*/
diff --git a/umac/cmn_services/utils/inc/wlan_utility.h b/umac/cmn_services/utils/inc/wlan_utility.h
index 35e32ee732..d797ff8135 100644
--- a/umac/cmn_services/utils/inc/wlan_utility.h
+++ b/umac/cmn_services/utils/inc/wlan_utility.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2017-2018 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -148,4 +148,14 @@ struct wlan_objmgr_vdev *wlan_util_get_vdev_by_ifname(
 				struct wlan_objmgr_psoc *psoc, char *ifname,
 				wlan_objmgr_ref_dbgid ref_id);
 
+/**
+ * wlan_util_vdev_get_if_name() - get vdev's interface name
+ * @vdev: VDEV object
+ *
+ * API to get vdev's interface name
+ *
+ * Return:
+ * @id: vdev's interface name
+ */
+uint8_t *wlan_util_vdev_get_if_name(struct wlan_objmgr_vdev *vdev);
 #endif /* _WLAN_UTILITY_H_ */
diff --git a/umac/cmn_services/utils/src/wlan_utility.c b/umac/cmn_services/utils/src/wlan_utility.c
index 1650a7c2e1..b8bf766180 100644
--- a/umac/cmn_services/utils/src/wlan_utility.c
+++ b/umac/cmn_services/utils/src/wlan_utility.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2017-2018 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -208,4 +208,32 @@ struct wlan_objmgr_vdev *wlan_util_get_vdev_by_ifname(
 
 	return filter.found_vdev;
 }
-EXPORT_SYMBOL(wlan_util_get_vdev_by_ifname);
+
+/**
+ * wlan_util_vdev_get_if_name() - get vdev's interface name
+ * @vdev: VDEV object
+ *
+ * API to get vdev's interface name
+ *
+ * Return:
+ * @id: vdev's interface name
+ */
+uint8_t *wlan_util_vdev_get_if_name(struct wlan_objmgr_vdev *vdev)
+{
+	uint8_t *name;
+	struct vdev_osif_priv *osif_priv;
+
+	wlan_vdev_obj_lock(vdev);
+
+	osif_priv = wlan_vdev_get_ospriv(vdev);
+	if (!osif_priv) {
+		wlan_vdev_obj_unlock(vdev);
+		return NULL;
+	}
+
+	name = osif_priv->wdev->netdev->name;
+	wlan_vdev_obj_unlock(vdev);
+
+	return name;
+}
+EXPORT_SYMBOL(wlan_util_vdev_get_if_name);
diff --git a/umac/nan/dispatcher/src/nan_ucfg_api.c b/umac/nan/dispatcher/src/nan_ucfg_api.c
index 32d7e2f616..d01f00dddb 100644
--- a/umac/nan/dispatcher/src/nan_ucfg_api.c
+++ b/umac/nan/dispatcher/src/nan_ucfg_api.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2017-2018 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -109,8 +109,8 @@ inline QDF_STATUS ucfg_nan_set_active_ndp_sessions(
 		return QDF_STATUS_E_NULL_VALUE;
 	}
 
-	if (idx > MAX_PEERS) {
-		nan_err("peer_idx(%d) is greater than MAX(%d) is null",
+	if (idx >= MAX_PEERS) {
+		nan_err("peer_idx(%d), MAX(%d)",
 			idx, MAX_PEERS);
 		return QDF_STATUS_E_NULL_VALUE;
 	}
@@ -133,8 +133,8 @@ inline uint32_t ucfg_nan_get_active_ndp_sessions(struct wlan_objmgr_vdev *vdev,
 		return 0;
 	}
 
-	if (idx > MAX_PEERS) {
-		nan_err("peer_idx(%d) is greater than MAX(%d) is null",
+	if (idx >= MAX_PEERS) {
+		nan_err("peer_idx(%d), MAX(%d)",
 			idx, MAX_PEERS);
 		return 0;
 	}