diff options
author | Andrew Chant <achant@google.com> | 2017-05-19 11:27:27 -0700 |
---|---|---|
committer | Andrew Chant <achant@google.com> | 2017-05-19 11:27:27 -0700 |
commit | f80a29ba2279aa6fe97bde50d3961d1b96fd9eaf (patch) | |
tree | 6043f0e00c6770bed1e0013cabd7bc63f3d68c1a | |
parent | 75abc118163288efd62fdb2586499164e90f8f16 (diff) | |
parent | e993ad751e8d562c6e220ac34c89e6c669c7ed9b (diff) | |
download | x86_64-f80a29ba2279aa6fe97bde50d3961d1b96fd9eaf.tar.gz |
Merge additional July 2017 security update.
Merge 'android-x86_64-fugu-3.10-nyc-mr1-security-next'
to pick up missed patch.
July 2017.1
Bug: 38137582
-rw-r--r-- | drivers/net/wireless/bcmdhd/wl_cfgvendor.c | 34 |
1 files changed, 31 insertions, 3 deletions
diff --git a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c index 54e13e09a97e..676eeafbc859 100644 --- a/drivers/net/wireless/bcmdhd/wl_cfgvendor.c +++ b/drivers/net/wireless/bcmdhd/wl_cfgvendor.c @@ -856,11 +856,15 @@ static int wl_cfgvendor_significant_change_cfg(struct wiphy *wiphy, const struct nlattr *outer, *inner, *iter; uint8 flush = 0; wl_pfn_significant_bssid_t *pbssid; + uint16 num_bssid = 0; + uint16 max_buf_size = sizeof(gscan_swc_params_t) + + sizeof(wl_pfn_significant_bssid_t) * (PFN_SWC_MAX_NUM_APS - 1); + + significant_params = kzalloc(max_buf_size, GFP_KERNEL); - significant_params = (gscan_swc_params_t *) kzalloc(len, GFP_KERNEL); if (!significant_params) { - WL_ERR(("Cannot Malloc mem to parse config commands size - %d bytes \n", len)); - return -1; + WL_ERR(("Cannot Malloc mem size:%d\n", len)); + return BCME_NOMEM; } @@ -880,9 +884,27 @@ static int wl_cfgvendor_significant_change_cfg(struct wiphy *wiphy, case GSCAN_ATTRIBUTE_MIN_BREACHING: significant_params->swc_threshold = nla_get_u16(iter); break; + case GSCAN_ATTRIBUTE_NUM_BSSID: + num_bssid = nla_get_u16(iter); + if (num_bssid > PFN_SWC_MAX_NUM_APS) { + WL_ERR(("ovar max SWC bssids:%d\n", + num_bssid)); + err = BCME_BADARG; + goto exit; + } + break; case GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS: + if (num_bssid == 0) { + WL_ERR(("num_bssid : 0\n")); + err = BCME_BADARG; + goto exit; + } pbssid = significant_params->bssid_elem_list; nla_for_each_nested(outer, iter, tmp) { + if (j >= num_bssid) { + j++; + break; + } nla_for_each_nested(inner, outer, tmp1) { switch (nla_type(inner)) { case GSCAN_ATTRIBUTE_BSSID: @@ -905,6 +927,12 @@ static int wl_cfgvendor_significant_change_cfg(struct wiphy *wiphy, break; } } + if (j != num_bssid) { + WL_ERR(("swc bssids count:%d not matched to num_bssid:%d\n", + j, num_bssid)); + err = BCME_BADARG; + goto exit; + } significant_params->nbssid = j; if (dhd_dev_pno_set_cfg_gscan(bcmcfg_to_prmry_ndev(cfg), |