qcacmn: Fix possible overread in wifi_pos_parse_req
In wifi_pos_parse_req(), payload sections of nl attributes ATTR_DATA and ATTR_META_DATA are type casted to driver internal structures tAniMsgHdr and wifi_pos_field_info respectively without validating payload lengths which can lead to buffer overread if the payload lengths are less than size of internal structures. To fix this, avoid type-cast and return error if payload lengths of nl attributes ATTR_DATA and ATTR_META_DATA are less than size of tAniMsgHdr and wifi_pos_field_info respectively. Change-Id: Ie9e3197f2cd3852b394e834991aa8d3a5b530d85 CRs-Fixed: 2471275
This commit is contained in:
Rajeev Kumar Sirasanagandla
committed by
nshrivas
nshrivas
orang tua
a61bf79b15
melakukan
d36ba2d9cf
@@ -32,6 +32,28 @@
|
||||
struct wlan_objmgr_psoc;
|
||||
struct wifi_pos_driver_caps;
|
||||
|
||||
/**
|
||||
* struct wifi_pos_field - wifi positioning field element
|
||||
* @id: RTT field id
|
||||
* @offset: data offset in field info buffer
|
||||
* @length: length of related data in field info buffer
|
||||
*/
|
||||
struct wifi_pos_field {
|
||||
uint32_t id;
|
||||
uint32_t offset;
|
||||
uint32_t length;
|
||||
};
|
||||
|
||||
/**
|
||||
* struct wifi_pos_field_info - wifi positioning field info buffer
|
||||
* @count: number of @wifi_pos_field elements
|
||||
* @fields: buffer to hold @wifi_pos_field elements
|
||||
*/
|
||||
struct wifi_pos_field_info {
|
||||
uint32_t count;
|
||||
struct wifi_pos_field fields[1];
|
||||
};
|
||||
|
||||
#ifdef WIFI_POS_CONVERGED
|
||||
/**
|
||||
* enum oem_err_msg - err msg returned to user space
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright (c) 2017 The Linux Foundation. All rights reserved.
|
||||
* Copyright (c) 2017, 2019 The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* Permission to use, copy, modify, and/or distribute this software for
|
||||
* any purpose with or without fee is hereby granted, provided that the
|
||||
@@ -43,17 +43,6 @@
|
||||
#define WIFI_POS_FLAG_DFS 10
|
||||
#define WIFI_POS_SET_DFS(info) (info |= (1 << WIFI_POS_FLAG_DFS))
|
||||
|
||||
struct wifi_pos_field {
|
||||
uint32_t id;
|
||||
uint32_t offset;
|
||||
uint32_t length;
|
||||
};
|
||||
|
||||
struct wifi_pos_field_info {
|
||||
uint32_t count;
|
||||
struct wifi_pos_field fields[1];
|
||||
};
|
||||
|
||||
/**
|
||||
* enum WMIRTT_FIELD_ID - identifies which field is being specified
|
||||
* @WMIRTT_FIELD_ID_oem_data_sub_type: oem data req sub type
|
||||
|
||||
Reference in New Issue
Block a user