diff options
author | Lin Bai <lbai@codeaurora.org> | 2018-09-11 22:53:28 +0800 |
---|---|---|
committer | Ahmed ElArabawy <arabawy@google.com> | 2019-03-18 10:22:27 -0700 |
commit | 754900c13a8fdc9ef377b9607c27a6d13ff4798c (patch) | |
tree | 637683ed764bae52e0a2d25698e8e644de9f3264 | |
parent | 8fe89814aec6a961ce0fc0b27124eb6e87b9dd62 (diff) | |
download | qcacld-754900c13a8fdc9ef377b9607c27a6d13ff4798c.tar.gz |
qcacld-3.0: Check channel_count in DCC_GET_STATS command
Invalid channel_count may be sent to driver with
QCA_NL80211_VENDOR_SUBCMD_DCC_GET_STATS vendor command, and may also
pass the sanity check with get_stats_param->request_array_len as
integer overflow, in send_dcc_get_stats_cmd_tlv().
Then it will finally lead to heap overflow when initializing
TLV header for each channel.
Change-Id: I1d81b5fc4de80829433f2a0ab41c964c41f750c3
CRs-Fixed: 2300516
Bug: 128343982
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
-rw-r--r-- | core/hdd/src/wlan_hdd_ocb.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_ocb.c b/core/hdd/src/wlan_hdd_ocb.c index 3cc55703d8..cf46c118be 100644 --- a/core/hdd/src/wlan_hdd_ocb.c +++ b/core/hdd/src/wlan_hdd_ocb.c @@ -1663,6 +1663,12 @@ static int __wlan_hdd_cfg80211_dcc_get_stats(struct wiphy *wiphy, request_array = nla_data( tb[QCA_WLAN_VENDOR_ATTR_DCC_GET_STATS_REQUEST_ARRAY]); + /* Check channel count. Per 11p spec, max 2 channels allowed */ + if (!channel_count || channel_count > TGT_NUM_OCB_CHANNELS) { + hdd_err("Invalid channel_count %d", channel_count); + return -EINVAL; + } + hdd_request = hdd_request_alloc(¶ms); if (!hdd_request) { hdd_err("Request allocation failure"); |