qcacld-3.0: Add data validation for avoid frequency command

Currently in avoid frequency vendor command, data validation is not being done, since this data comes from userspace driver should not be using this data pointer without validation. To address this issue add validation for data pointer and data length received in driver. Change-Id: I7b56e2ddcbcb5e98dd93d152033db48063e772d3 CRs-Fixed: 2252793
2018-06-28 12:43:41 +05:30
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -10508,6 +10508,7 @@ __wlan_hdd_cfg80211_avoid_freq(struct wiphy *wiphy,
 	uint16_t unsafe_channel_index, local_unsafe_list_count;
 	struct ch_avoid_ind_type *channel_list;
 	enum QDF_GLOBAL_MODE curr_mode;
+	uint8_t num_args = 0;

 	hdd_enter_dev(wdev->netdev);

@@ -10525,10 +10526,26 @@ __wlan_hdd_cfg80211_avoid_freq(struct wiphy *wiphy,
 	ret = wlan_hdd_validate_context(hdd_ctx);
 	if (0 != ret)
 		return ret;
+	if (!data || data_len < (sizeof(channel_list->ch_avoid_range_cnt) +
+				 sizeof(struct ch_avoid_freq_type))) {
+		hdd_err("Avoid frequency channel list empty");
+		return -EINVAL;
+	}
+	num_args = (data_len - sizeof(channel_list->ch_avoid_range_cnt)) /
+		sizeof(channel_list->avoid_freq_range[0].start_freq);
+
+	if (num_args < 2 || num_args > CH_AVOID_MAX_RANGE * 2 ||
+	    num_args % 2 != 0) {
+		hdd_err("Invalid avoid frequency channel list");
+		return -EINVAL;
+	}

 	channel_list = (struct ch_avoid_ind_type *)data;
-	if (!channel_list) {
-		hdd_err("Avoid frequency channel list empty");
+	if (channel_list->ch_avoid_range_cnt == 0 ||
+	    channel_list->ch_avoid_range_cnt > CH_AVOID_MAX_RANGE ||
+	    2 * channel_list->ch_avoid_range_cnt != num_args) {
+		hdd_err("Invalid frequency range count %d",
+			channel_list->ch_avoid_range_cnt);
 		return -EINVAL;
 	}