صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
فهرست منبع

qcacld-3.0: Avoid concurrent matrix max param overread

Currently there is no nl policy defined for vendor sub command
QCA_NL80211_VENDOR_SUBCMD_GET_CONCURRENCY_MATRIX which may result in
buffer overread error.

To resolve this, add nl policy.

Change-Id: I155efdbb07f1c5fe300bb2be0c2a3fe07c7e134b
CRs-Fixed: 2054690
Rajeev Kumar Sirasanagandla 8 سال پیش
والد
7dbe7e46b9
کامیت
bff450c4e7
1فایلهای تغییر یافته به همراه17 افزوده شده و 6 حذف شده
مشاهده تقسیم شده نمایش آمار تفاوت ها
  1. 17 6
      core/hdd/src/wlan_hdd_cfg80211.c

+ 17 - 6
core/hdd/src/wlan_hdd_cfg80211.c
مشاهده فایل 

@@ -2793,6 +2793,15 @@ wlan_hdd_cfg80211_set_scanning_mac_oui(struct wiphy *wiphy,
 
 	return ret;
 
 }
 
 
+#define MAX_CONCURRENT_MATRIX \
 
+	QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX
 
+#define MATRIX_CONFIG_PARAM_SET_SIZE_MAX \
 
+	QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX
 
+static const struct nla_policy
 
+wlan_hdd_get_concurrency_matrix_policy[MAX_CONCURRENT_MATRIX + 1] = {
 
+	[MATRIX_CONFIG_PARAM_SET_SIZE_MAX] = {.type = NLA_U32},
 
+};
 
+
 
 /**
 
  * __wlan_hdd_cfg80211_get_concurrency_matrix() - to retrieve concurrency matrix
 
  * @wiphy: pointer phy adapter
 
@@ -2811,7 +2820,7 @@ static int __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
 
 {
 
 	uint32_t feature_set_matrix[CDS_MAX_FEATURE_SET] = {0};
 
 	uint8_t i, feature_sets, max_feature_sets;
 
-	struct nlattr *tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX + 1];
 
+	struct nlattr *tb[MAX_CONCURRENT_MATRIX + 1];
 
 	struct sk_buff *reply_skb;
 
 	hdd_context_t *hdd_ctx = wiphy_priv(wiphy);
 
 	int ret;
 
@@ -2827,19 +2836,18 @@ static int __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
 
 	if (ret)
 
 		return ret;
 
 
-	if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_MAX,
 
-			data, data_len, NULL)) {
 
+	if (nla_parse(tb, MAX_CONCURRENT_MATRIX, data, data_len,
 
+		      wlan_hdd_get_concurrency_matrix_policy)) {
 
 		hdd_err("Invalid ATTR");
 
 		return -EINVAL;
 
 	}
 
 
 	/* Parse and fetch max feature set */
 
-	if (!tb[QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
 
+	if (!tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]) {
 
 		hdd_err("Attr max feature set size failed");
 
 		return -EINVAL;
 
 	}
 
-	max_feature_sets = nla_get_u32(tb[
 
-		QCA_WLAN_VENDOR_ATTR_GET_CONCURRENCY_MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
 
+	max_feature_sets = nla_get_u32(tb[MATRIX_CONFIG_PARAM_SET_SIZE_MAX]);
 
 	hdd_debug("Max feature set size: %d", max_feature_sets);
 
 
 	/* Fill feature combination matrix */
 
@@ -2877,6 +2885,9 @@ static int __wlan_hdd_cfg80211_get_concurrency_matrix(struct wiphy *wiphy,
 
 	return cfg80211_vendor_cmd_reply(reply_skb);
 
 }
 
 
+#undef MAX_CONCURRENT_MATRIX
 
+#undef MATRIX_CONFIG_PARAM_SET_SIZE_MAX
 
+
 
 /**
 
  * wlan_hdd_cfg80211_get_concurrency_matrix() - get concurrency matrix
 
  * @wiphy:   pointer to wireless wiphy structure.