首页 发现 帮助
登录
GfA
/
linux_kernel
5
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

brcmfmac: add length checks in scheduled scan result handler

Assure the event data buffer is long enough to hold the array
of netinfo items and that SSID length does not exceed the maximum
of 32 characters as per 802.11 spec.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Arend Van Spriel 8 年之前
父节点
acf8ac41dd
当前提交
4835f37e3b
共有 1 个文件被更改,包括 11 次插入2 次删除
合并视图 显示文件统计
  1. 11 2
      drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

+ 11 - 2
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
查看文件 

@@ -3300,6 +3300,7 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
 
 	struct brcmf_pno_scanresults_le *pfn_result;
 
 	struct brcmf_pno_scanresults_le *pfn_result;
 
 	u32 result_count;
 
 	u32 result_count;
 
 	u32 status;
 
 	u32 status;
 
+	u32 datalen;
 
 
 
 	brcmf_dbg(SCAN, "Enter\n");
 
 	brcmf_dbg(SCAN, "Enter\n");
 
 
 
@@ -3326,6 +3327,14 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
 
 		brcmf_err("FALSE PNO Event. (pfn_count == 0)\n");
 
 		brcmf_err("FALSE PNO Event. (pfn_count == 0)\n");
 
 		goto out_err;
 
 		goto out_err;
 
 	}
 
 	}
 
+
 
+	netinfo_start = brcmf_get_netinfo_array(pfn_result);
 
+	datalen = e->datalen - ((void *)netinfo_start - (void *)pfn_result);
 
+	if (datalen < result_count * sizeof(*netinfo)) {
 
+		brcmf_err("insufficient event data\n");
 
+		goto out_err;
 
+	}
 
+
 
 	request = brcmf_alloc_internal_escan_request(wiphy,
 
 	request = brcmf_alloc_internal_escan_request(wiphy,
 
 						     result_count);
 
 						     result_count);
 
 	if (!request) {
 
 	if (!request) {
 
@@ -3333,8 +3342,6 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
 
 		goto out_err;
 
 		goto out_err;
 
 	}
 
 	}
 
 
 
-	netinfo_start = brcmf_get_netinfo_array(pfn_result);
 
-
 
 	for (i = 0; i < result_count; i++) {
 
 	for (i = 0; i < result_count; i++) {
 
 		netinfo = &netinfo_start[i];
 
 		netinfo = &netinfo_start[i];
 
 		if (!netinfo) {
 
 		if (!netinfo) {
 
@@ -3344,6 +3351,8 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
 
 			goto out_err;
 
 			goto out_err;
 
 		}
 
 		}
 
 
 
+		if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
 
+			netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
 
 		brcmf_dbg(SCAN, "SSID:%.32s Channel:%d\n",
 
 		brcmf_dbg(SCAN, "SSID:%.32s Channel:%d\n",
 
 			  netinfo->SSID, netinfo->channel);
 
 			  netinfo->SSID, netinfo->channel);
 
 		err = brcmf_internal_escan_add_info(request,
 
 		err = brcmf_internal_escan_add_info(request,