Home Explore Help
Register Sign In
wareck
/
openwrt_lede
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 488fc98adf
Branches Tags
openwrt_lede
/
package
/
kernel
/
mac80211
/
patches
/
319-v4.12-0043-brcmfmac-add-length-checks-in-scheduled-scan-result-.patch

319-v4.12-0043-brcmfmac-add-length-checks-in-scheduled-scan-result-.patch 2.1 KB
History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061 
  1. From 4835f37e3bafc138f8bfa3cbed2920dd56fed283 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Arend Van Spriel <arend.vanspriel@broadcom.com>
    3. 

  3. Date: Thu, 6 Apr 2017 13:14:40 +0100
    4. 

  4. Subject: [PATCH] brcmfmac: add length checks in scheduled scan result handler
    5. 

  5. 

  6. Assure the event data buffer is long enough to hold the array
    7. 

  7. of netinfo items and that SSID length does not exceed the maximum
    8. 

  8. of 32 characters as per 802.11 spec.
    9. 

  9. 

  10. Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
    11. 

  11. Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
    12. 

  12. Reviewed-by: Franky Lin <franky.lin@broadcom.com>
    13. 

  13. Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    14. 

  14. Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    15. 

  15. ---
    16. 

  16.  .../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +++++++++++--
    17. 

  17.  1 file changed, 11 insertions(+), 2 deletions(-)
    18. 

  18. 

  19. --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
    20. 

  20. +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
    21. 

  21. @@ -3300,6 +3300,7 @@ brcmf_notify_sched_scan_results(struct b
    22. 

  22.  	struct brcmf_pno_scanresults_le *pfn_result;
    23. 

  23.  	u32 result_count;
    24. 

  24.  	u32 status;
    25. 

  25. +	u32 datalen;
    26. 

  26.  
    27. 

  27.  	brcmf_dbg(SCAN, "Enter\n");
    28. 

  28.  
    29. 

  29. @@ -3326,6 +3327,14 @@ brcmf_notify_sched_scan_results(struct b
    30. 

  30.  		brcmf_err("FALSE PNO Event. (pfn_count == 0)\n");
    31. 

  31.  		goto out_err;
    32. 

  32.  	}
    33. 

  33. +
    34. 

  34. +	netinfo_start = brcmf_get_netinfo_array(pfn_result);
    35. 

  35. +	datalen = e->datalen - ((void *)netinfo_start - (void *)pfn_result);
    36. 

  36. +	if (datalen < result_count * sizeof(*netinfo)) {
    37. 

  37. +		brcmf_err("insufficient event data\n");
    38. 

  38. +		goto out_err;
    39. 

  39. +	}
    40. 

  40. +
    41. 

  41.  	request = brcmf_alloc_internal_escan_request(wiphy,
    42. 

  42.  						     result_count);
    43. 

  43.  	if (!request) {
    44. 

  44. @@ -3333,8 +3342,6 @@ brcmf_notify_sched_scan_results(struct b
    45. 

  45.  		goto out_err;
    46. 

  46.  	}
    47. 

  47.  
    48. 

  48. -	netinfo_start = brcmf_get_netinfo_array(pfn_result);
    49. 

  49. -
    50. 

  50.  	for (i = 0; i < result_count; i++) {
    51. 

  51.  		netinfo = &netinfo_start[i];
    52. 

  52.  		if (!netinfo) {
    53. 

  53. @@ -3344,6 +3351,8 @@ brcmf_notify_sched_scan_results(struct b
    54. 

  54.  			goto out_err;
    55. 

  55.  		}
    56. 

  56.  
    57. 

  57. +		if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
    58. 

  58. +			netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
    59. 

  59.  		brcmf_dbg(SCAN, "SSID:%.32s Channel:%d\n",
    60. 

  60.  			  netinfo->SSID, netinfo->channel);
    61. 

  61.  		err = brcmf_internal_escan_add_info(request,
    62.