qcacld-3.0: Check channel_count in DCC_GET_STATS command

Invalid channel_count may be sent to driver with QCA_NL80211_VENDOR_SUBCMD_DCC_GET_STATS vendor command, and may also pass the sanity check with get_stats_param->request_array_len as integer overflow, in send_dcc_get_stats_cmd_tlv(). Then it will finally lead to heap overflow when initializing TLV header for each channel. Change-Id: I1d81b5fc4de80829433f2a0ab41c964c41f750c3 CRs-Fixed: 2300516 Bug: 128343982 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
author: Lin Bai <lbai@codeaurora.org> 2018-09-11 22:53:28 +0800
committer: Ahmed ElArabawy <arabawy@google.com> 2019-03-18 10:22:27 -0700
commit: 754900c13a8fdc9ef377b9607c27a6d13ff4798c (patch)
tree: 637683ed764bae52e0a2d25698e8e644de9f3264
parent: 8fe89814aec6a961ce0fc0b27124eb6e87b9dd62 (diff)
download: qcacld-754900c13a8fdc9ef377b9607c27a6d13ff4798c.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_ocb.c b/core/hdd/src/wlan_hdd_ocb.c
index 3cc55703d8..cf46c118be 100644
--- a/core/hdd/src/wlan_hdd_ocb.c
+++ b/core/hdd/src/wlan_hdd_ocb.c
@@ -1663,6 +1663,12 @@ static int __wlan_hdd_cfg80211_dcc_get_stats(struct wiphy *wiphy,
 	request_array = nla_data(
 		tb[QCA_WLAN_VENDOR_ATTR_DCC_GET_STATS_REQUEST_ARRAY]);
 
+	/* Check channel count. Per 11p spec, max 2 channels allowed */
+	if (!channel_count || channel_count > TGT_NUM_OCB_CHANNELS) {
+		hdd_err("Invalid channel_count %d", channel_count);
+		return -EINVAL;
+	}
+
 	hdd_request = hdd_request_alloc(&params);
 	if (!hdd_request) {
 		hdd_err("Request allocation failure");
author	Lin Bai <lbai@codeaurora.org>	2018-09-11 22:53:28 +0800
committer	Ahmed ElArabawy <arabawy@google.com>	2019-03-18 10:22:27 -0700
commit	754900c13a8fdc9ef377b9607c27a6d13ff4798c (patch)
tree	637683ed764bae52e0a2d25698e8e644de9f3264
parent	8fe89814aec6a961ce0fc0b27124eb6e87b9dd62 (diff)
download	qcacld-754900c13a8fdc9ef377b9607c27a6d13ff4798c.tar.gz