diff options
| author | Sourav Mohapatra <mohapatr@codeaurora.org> | 2019-03-07 09:28:40 +0530 |
|---|---|---|
| committer | Paul Chen <chenpaul@google.com> | 2019-10-01 07:27:15 +0000 |
| commit | 395c752bcb965db80a8d6b296f31150b05c99670 (patch) | |
| tree | ddd15bfea2add00c62c2e5374561c427407a88a7 | |
| parent | e4bf43342a89b30412f3d5c78d84a54c2dbe7034 (diff) | |
| download | qcacld-395c752bcb965db80a8d6b296f31150b05c99670.tar.gz | |
qcacld-3.0: Avoid Integer underflow in hdd_dns_make_name_query
In the function hdd_dns_make_name_query, the driver is performing a
validation check that includes the use of length of the received string
as an array index. As the length and string both are user controlled,
the user can send the length as zero. As the policy states that the
given attribute is NLA_BINARY, so there would be no validation check
that can ensure the correct input. Therefore in the case of a malformed
packet with null length string, it can cause a possible integer
underflow.
To avoid this vulnerability change the attribute type from NLA_BINARY to
NLA_NUL_STRING. This will cause all the checks to be performed at
validate_nla.
Change-Id: I0bb569b71a88a07745d364dad23cf1210af4212e
CRs-Fixed: 2409913
Bug: 141099048
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
| -rw-r--r-- | core/hdd/src/wlan_hdd_cfg80211.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index d8efa865cc..94ae94fcb2 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -10789,7 +10789,7 @@ qca_wlan_vendor_set_nud_stats[STATS_SET_MAX + 1] = { const struct nla_policy qca_wlan_vendor_set_connectivity_check_stats[CONNECTIVITY_STATS_SET_MAX + 1] = { [STATS_PKT_INFO_TYPE] = {.type = NLA_U32 }, - [STATS_DNS_DOMAIN_NAME] = {.type = NLA_BINARY, + [STATS_DNS_DOMAIN_NAME] = {.type = NLA_NUL_STRING, .len = DNS_DOMAIN_NAME_MAX_LEN }, [STATS_SRC_PORT] = {.type = NLA_U32 }, [STATS_DEST_PORT] = {.type = NLA_U32 }, |