qcacmn: Fix possible overread in wifi_pos_parse_req

In wifi_pos_parse_req(), payload sections of nl attributes ATTR_DATA and ATTR_META_DATA are type casted to driver internal structures tAniMsgHdr and wifi_pos_field_info respectively without validating payload lengths which can lead to buffer overread if the payload lengths are less than size of internal structures. To fix this, avoid type-cast and return error if payload lengths of nl attributes ATTR_DATA and ATTR_META_DATA are less than size of tAniMsgHdr and wifi_pos_field_info respectively. Change-Id: Ie9e3197f2cd3852b394e834991aa8d3a5b530d85 CRs-Fixed: 2471275
2019-06-26 16:50:00 +05:30
parent a61bf79b15
commit d36ba2d9cf
3 changed files with 70 additions and 20 deletions
--- a/umac/wifi_pos/inc/wifi_pos_api.h
+++ b/umac/wifi_pos/inc/wifi_pos_api.h
@@ -32,6 +32,28 @@
 struct wlan_objmgr_psoc;
 struct wifi_pos_driver_caps;

+/**
+ * struct wifi_pos_field - wifi positioning field element
+ * @id: RTT field id
+ * @offset: data offset in field info buffer
+ * @length: length of related data in field info buffer
+ */
+struct wifi_pos_field {
+	uint32_t id;
+	uint32_t offset;
+	uint32_t length;
+};
+
+/**
+ * struct wifi_pos_field_info - wifi positioning field info buffer
+ * @count: number of @wifi_pos_field elements
+ * @fields: buffer to hold @wifi_pos_field elements
+ */
+struct wifi_pos_field_info {
+	uint32_t count;
+	struct wifi_pos_field fields[1];
+};
+
 #ifdef WIFI_POS_CONVERGED
 /**
 * enum oem_err_msg - err msg returned to user space