diff options
author | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-03-10 01:29:21 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-03-10 01:29:21 +0000 |
commit | c1e6349ca435a7f744f640322e02c2496ef67708 (patch) | |
tree | e8df06b4bfe909a8227343642cfc7737e2b96b6e | |
parent | 027a922c95967a6ba3ddda8b522de963df16da19 (diff) | |
parent | 117593cf89e3d1fc796ff4f8a8d66f0aa4c13b28 (diff) | |
download | wlan-c1e6349ca435a7f744f640322e02c2496ef67708.tar.gz |
WifiHal: Fix OOB read of ctrl buf while registering monitor sock am: 117593cf89
Change-Id: Icd749280d34eaf1deb19d7f73a0ee23db7828706
-rw-r--r-- | qcwcn/wifi_hal/wifi_hal.cpp | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp index 4576063..4199cef 100644 --- a/qcwcn/wifi_hal/wifi_hal.cpp +++ b/qcwcn/wifi_hal/wifi_hal.cpp @@ -1054,6 +1054,11 @@ static int validate_cld80211_msg(nlmsghdr *nlh, int family, int cmd) struct genlmsghdr *hdr; hdr = (genlmsghdr *)nlmsg_data(nlh); + if (nlh->nlmsg_len > DEFAULT_PAGE_SIZE - sizeof(wifihal_ctrl_req_t)) + { + ALOGE("%s: Invalid nlmsg length", __FUNCTION__); + return -1; + } if(hdr->cmd == WLAN_NL_MSG_OEM) { ALOGV("%s: FAMILY ID : %d ,NL CMD : %d received", __FUNCTION__, @@ -1077,6 +1082,11 @@ static int validate_genl_msg(nlmsghdr *nlh, int family, int cmd) struct genlmsghdr *hdr; hdr = (genlmsghdr *)nlmsg_data(nlh); + if (nlh->nlmsg_len > DEFAULT_PAGE_SIZE - sizeof(wifihal_ctrl_req_t)) + { + ALOGE("%s: Invalid nlmsg length", __FUNCTION__); + return -1; + } if(hdr->cmd == NL80211_CMD_FRAME || hdr->cmd == NL80211_CMD_REGISTER_ACTION) { @@ -1194,9 +1204,17 @@ static int register_monitor_sock(wifi_handle handle, wifihal_ctrl_req_t *ctrl_ms genlh = (struct genlmsghdr *)nlmsg_data(nlh); struct nlattr *nlattrs[NL80211_ATTR_MAX + 1]; - nla_parse(nlattrs, NL80211_ATTR_MAX, genlmsg_attrdata(genlh, 0), - genlmsg_attrlen(genlh, 0), NULL); - + if (nlh->nlmsg_len > DEFAULT_PAGE_SIZE - sizeof(*ctrl_msg)) + { + ALOGE("%s: Invalid nlmsg length", __FUNCTION__); + return -1; + } + if (nla_parse(nlattrs, NL80211_ATTR_MAX, genlmsg_attrdata(genlh, 0), + genlmsg_attrlen(genlh, 0), NULL)) + { + ALOGE("unable to parse nl attributes"); + return -1; + } if (!nlattrs[NL80211_ATTR_FRAME_TYPE]) { ALOGD("No Valid frame type"); @@ -1555,18 +1573,17 @@ static int internal_valid_message_handler(nl_msg *msg, void *arg) ALOGD("No Frame body"); return WIFI_SUCCESS; } - - ctrl_evt = (wifihal_ctrl_event_t *)malloc(DEFAULT_PAGE_SIZE); + ctrl_evt = (wifihal_ctrl_event_t *)malloc(sizeof(*ctrl_evt) + nlh->nlmsg_len); if(ctrl_evt == NULL) { ALOGE("Memory allocation failure"); return -1; } - memset((char *)ctrl_evt, 0, DEFAULT_PAGE_SIZE); + memset((char *)ctrl_evt, 0, sizeof(*ctrl_evt) + nlh->nlmsg_len); ctrl_evt->family_name = GENERIC_NL_FAMILY; ctrl_evt->cmd_id = cmd; - ctrl_evt->data_len = msg->nm_nlh->nlmsg_len; - memcpy(ctrl_evt->data, (char *)msg->nm_nlh, ctrl_evt->data_len); + ctrl_evt->data_len = nlh->nlmsg_len; + memcpy(ctrl_evt->data, (char *)nlh, ctrl_evt->data_len); buff = (char *)nla_data(nlattrs[NL80211_ATTR_FRAME]) + 24; //! Size of Wlan80211FrameHeader |