diff options
author | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-03-10 01:29:33 +0000 |
---|---|---|
committer | Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> | 2020-03-10 01:29:33 +0000 |
commit | ec207349252d30a5772522ad3ea698b2c50a082a (patch) | |
tree | 47786b9695c545d6d83d4a148cd1bdbbee6ac278 /qcwcn/wifi_hal | |
parent | f28b1f43b2dc03a36447ec2379f0b8995276ece7 (diff) | |
parent | 117593cf89e3d1fc796ff4f8a8d66f0aa4c13b28 (diff) | |
download | wlan-ec207349252d30a5772522ad3ea698b2c50a082a.tar.gz |
WifiHal: Fix OOB read of ctrl buf while registering monitor sock am: 117593cf89
Change-Id: I16a306e40c81663cd8311f1d27b85a0ca08bea0e
Diffstat (limited to 'qcwcn/wifi_hal')
-rw-r--r-- | qcwcn/wifi_hal/wifi_hal.cpp | 33 |
1 files changed, 25 insertions, 8 deletions
diff --git a/qcwcn/wifi_hal/wifi_hal.cpp b/qcwcn/wifi_hal/wifi_hal.cpp index 61f7ee6..3b21a0e 100644 --- a/qcwcn/wifi_hal/wifi_hal.cpp +++ b/qcwcn/wifi_hal/wifi_hal.cpp @@ -1054,6 +1054,11 @@ static int validate_cld80211_msg(nlmsghdr *nlh, int family, int cmd) struct genlmsghdr *hdr; hdr = (genlmsghdr *)nlmsg_data(nlh); + if (nlh->nlmsg_len > DEFAULT_PAGE_SIZE - sizeof(wifihal_ctrl_req_t)) + { + ALOGE("%s: Invalid nlmsg length", __FUNCTION__); + return -1; + } if(hdr->cmd == WLAN_NL_MSG_OEM) { ALOGV("%s: FAMILY ID : %d ,NL CMD : %d received", __FUNCTION__, @@ -1077,6 +1082,11 @@ static int validate_genl_msg(nlmsghdr *nlh, int family, int cmd) struct genlmsghdr *hdr; hdr = (genlmsghdr *)nlmsg_data(nlh); + if (nlh->nlmsg_len > DEFAULT_PAGE_SIZE - sizeof(wifihal_ctrl_req_t)) + { + ALOGE("%s: Invalid nlmsg length", __FUNCTION__); + return -1; + } if(hdr->cmd == NL80211_CMD_FRAME || hdr->cmd == NL80211_CMD_REGISTER_ACTION) { @@ -1194,9 +1204,17 @@ static int register_monitor_sock(wifi_handle handle, wifihal_ctrl_req_t *ctrl_ms genlh = (struct genlmsghdr *)nlmsg_data(nlh); struct nlattr *nlattrs[NL80211_ATTR_MAX + 1]; - nla_parse(nlattrs, NL80211_ATTR_MAX, genlmsg_attrdata(genlh, 0), - genlmsg_attrlen(genlh, 0), NULL); - + if (nlh->nlmsg_len > DEFAULT_PAGE_SIZE - sizeof(*ctrl_msg)) + { + ALOGE("%s: Invalid nlmsg length", __FUNCTION__); + return -1; + } + if (nla_parse(nlattrs, NL80211_ATTR_MAX, genlmsg_attrdata(genlh, 0), + genlmsg_attrlen(genlh, 0), NULL)) + { + ALOGE("unable to parse nl attributes"); + return -1; + } if (!nlattrs[NL80211_ATTR_FRAME_TYPE]) { ALOGD("No Valid frame type"); @@ -1555,18 +1573,17 @@ static int internal_valid_message_handler(nl_msg *msg, void *arg) ALOGD("No Frame body"); return WIFI_SUCCESS; } - - ctrl_evt = (wifihal_ctrl_event_t *)malloc(DEFAULT_PAGE_SIZE); + ctrl_evt = (wifihal_ctrl_event_t *)malloc(sizeof(*ctrl_evt) + nlh->nlmsg_len); if(ctrl_evt == NULL) { ALOGE("Memory allocation failure"); return -1; } - memset((char *)ctrl_evt, 0, DEFAULT_PAGE_SIZE); + memset((char *)ctrl_evt, 0, sizeof(*ctrl_evt) + nlh->nlmsg_len); ctrl_evt->family_name = GENERIC_NL_FAMILY; ctrl_evt->cmd_id = cmd; - ctrl_evt->data_len = msg->nm_nlh->nlmsg_len; - memcpy(ctrl_evt->data, (char *)msg->nm_nlh, ctrl_evt->data_len); + ctrl_evt->data_len = nlh->nlmsg_len; + memcpy(ctrl_evt->data, (char *)nlh, ctrl_evt->data_len); buff = (char *)nla_data(nlattrs[NL80211_ATTR_FRAME]) + 24; //! Size of Wlan80211FrameHeader |