package/kernel/mac80211/patches/319-v4.12-0043-brcmfmac-add-length-checks-in-scheduled-scan-result-.patch

   1 From 4835f37e3bafc138f8bfa3cbed2920dd56fed283 Mon Sep 17 00:00:00 2001
   2 From: Arend Van Spriel <arend.vanspriel@broadcom.com>
   3 Date: Thu, 6 Apr 2017 13:14:40 +0100
   4 Subject: [PATCH] brcmfmac: add length checks in scheduled scan result handler
   5
   6 Assure the event data buffer is long enough to hold the array
   7 of netinfo items and that SSID length does not exceed the maximum
   8 of 32 characters as per 802.11 spec.
   9
  10 Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
  11 Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
  12 Reviewed-by: Franky Lin <franky.lin@broadcom.com>
  13 Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
  14 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  15 ---
  16  drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +++++++++++--
  17  1 file changed, 11 insertions(+), 2 deletions(-)
  18
  19 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
  20 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
  21 @@ -3300,6 +3300,7 @@ brcmf_notify_sched_scan_results(struct b
  22         struct brcmf_pno_scanresults_le *pfn_result;
  23         u32 result_count;
  24         u32 status;
  25 +       u32 datalen;
  26
  27         brcmf_dbg(SCAN, "Enter\n");
  28
  29 @@ -3326,6 +3327,14 @@ brcmf_notify_sched_scan_results(struct b
  30                 brcmf_err("FALSE PNO Event. (pfn_count == 0)\n");
  31                 goto out_err;
  32         }
  33 +
  34 +       netinfo_start = brcmf_get_netinfo_array(pfn_result);
  35 +       datalen = e->datalen - ((void *)netinfo_start - (void *)pfn_result);
  36 +       if (datalen < result_count * sizeof(*netinfo)) {
  37 +               brcmf_err("insufficient event data\n");
  38 +               goto out_err;
  39 +       }
  40 +
  41         request = brcmf_alloc_internal_escan_request(wiphy,
  42                                                      result_count);
  43         if (!request) {
  44 @@ -3333,8 +3342,6 @@ brcmf_notify_sched_scan_results(struct b
  45                 goto out_err;
  46         }
  47
  48 -       netinfo_start = brcmf_get_netinfo_array(pfn_result);
  49 -
  50         for (i = 0; i < result_count; i++) {
  51                 netinfo = &netinfo_start[i];
  52                 if (!netinfo) {
  53 @@ -3344,6 +3351,8 @@ brcmf_notify_sched_scan_results(struct b
  54                         goto out_err;
  55                 }
  56
  57 +               if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
  58 +                       netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
  59                 brcmf_dbg(SCAN, "SSID:%.32s Channel:%d\n",
  60                           netinfo->SSID, netinfo->channel);
  61                 err = brcmf_internal_escan_add_info(request,