samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Çatalla 0
Kod Konular Değişiklik İstekleri İşlemler Paketler Projeler Sürüm Wiki Aktivite

qcacld-3.0: Fix memory corruption due to wlan_hdd_add_age_ie

Kaynağa Gözat 
In wlan_hdd_add_age_ie the mgmt->u.probe_resp.variable is type casted
to qcom_ie_age, before incrementing the mgmt->u.probe_resp.variable
to get the qcom_ie_age pointer. This leads to memory corruption.

Fixed by typecasting the pointer once the qcom_ie_age pointer is
derived by incrementing the offset of qcom_ie_age from
mgmt->u.probe_resp.variable.

Change-Id: Iafcdb5c17f0d9c234687ddcc6f8b9100b21cc957
CRs-Fixed: 2201303
Bu işleme şunda yer alıyor:
Abhishek Singh
2018-03-07 10:48:46 +05:30
işlemeyi yapan: nshrivas
ebeveyn b903b6eeb4
işleme f1c1676351
1 değiştirilmiş dosya ile 6 ekleme ve 6 silme
Yama Dosyasını İndir Diff Dosyasını İndir Tüm dosyaları genişlet Tüm dosyaları daralt

12
core/hdd/src/wlan_hdd_cfg80211.c
Dosyayı Görüntüle

@@ -16232,7 +16232,7 @@ wlan_hdd_get_frame_len(struct bss_description *bss_desc)
}
static inline void wlan_hdd_add_age_ie(struct ieee80211_mgmt *mgmt,
uint32_t ie_length, struct bss_description *bss_desc)
uint32_t *ie_length, struct bss_description *bss_desc)
{
qcom_ie_age *qie_age = NULL;
@@ -16240,8 +16240,8 @@ static inline void wlan_hdd_add_age_ie(struct ieee80211_mgmt *mgmt,
* GPS Requirement: need age ie per entry. Using vendor specific.
* Assuming this is the last IE, copy at the end
*/
ie_length -= sizeof(qcom_ie_age);
qie_age = (qcom_ie_age *)mgmt->u.probe_resp.variable + ie_length;
*ie_length -= sizeof(qcom_ie_age);
qie_age = (qcom_ie_age *)(mgmt->u.probe_resp.variable + *ie_length);
qie_age->element_id = QCOM_VENDOR_IE_ID;
qie_age->len = QCOM_VENDOR_IE_AGE_LEN;
qie_age->oui_1 = QCOM_OUI1;
@@ -16269,7 +16269,7 @@ wlan_hdd_get_frame_len(struct bss_description *bss_desc)
return GET_IE_LEN_IN_BSS(bss_desc->length);
}
static inline void wlan_hdd_add_age_ie(struct ieee80211_mgmt *mgmt,
uint32_t ie_length, struct bss_description *bss_desc)
uint32_t *ie_length, struct bss_description *bss_desc)
{
}
#endif /* WLAN_ENABLE_AGEIE_ON_SCAN_RESULTS */
@@ -16281,7 +16281,7 @@ wlan_hdd_inform_bss_frame(struct hdd_adapter *adapter,
{
struct wireless_dev *wdev = adapter->dev->ieee80211_ptr;
struct wiphy *wiphy = wdev->wiphy;
int ie_length = wlan_hdd_get_frame_len(bss_desc);
uint32_t ie_length = wlan_hdd_get_frame_len(bss_desc);
const char *ie =
((ie_length != 0) ? (const char *)&bss_desc->ieFields : NULL);
uint32_t freq, i;
@@ -16334,7 +16334,7 @@ wlan_hdd_inform_bss_frame(struct hdd_adapter *adapter,
bss_data.mgmt->u.probe_resp.beacon_int = bss_desc->beaconInterval;
bss_data.mgmt->u.probe_resp.capab_info = bss_desc->capabilityInfo;
wlan_hdd_add_age_ie(bss_data.mgmt, ie_length, bss_desc);
wlan_hdd_add_age_ie(bss_data.mgmt, &ie_length, bss_desc);
memcpy(bss_data.mgmt->u.probe_resp.variable, ie, ie_length);
if (bss_desc->fProbeRsp) {