Merge "FPII-1870:CR:930555-Improper access control on QCSAP_IOCTL_SET_CHANNEL_RANGE (SIOCIWFIRSTPRIV + 17)" into fp/fp2_5.1_int
diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
index 662ff7c..c1d870a 100644
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -3049,6 +3049,8 @@
u_int8_t WPSIeType;
u_int16_t length;
struct iw_point s_priv_data;
+ int ret = 0;
+
ENTER();
/* helper function to get iwreq_data with compat handling. */
@@ -3094,9 +3096,8 @@
case DOT11F_EID_WPA:
if (wps_genie[1] < 2 + 4)
{
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
{
@@ -3154,6 +3155,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
pos += length;
@@ -3168,9 +3174,8 @@
default:
hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
}
}
@@ -3182,10 +3187,9 @@
default:
hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return 0;
- }
+ ret = -EINVAL;
+ goto exit;
+ }
}
else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
{
@@ -3196,9 +3200,8 @@
case DOT11F_EID_WPA:
if (wps_genie[1] < 2 + 4)
{
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
{
@@ -3262,6 +3265,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
pos += length;
@@ -3271,6 +3279,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
@@ -3281,6 +3294,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
@@ -3290,6 +3308,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
@@ -3299,6 +3322,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
@@ -3322,6 +3350,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
pos += length;
@@ -3353,6 +3386,8 @@
} // switch
}
halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
+ if (halStatus != eHAL_STATUS_SUCCESS)
+ ret = -EINVAL;
pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
{
@@ -3361,10 +3396,11 @@
WLANSAP_Update_WpsIe ( pVosContext );
}
+exit:
vos_mem_free(pSap_WPSIe);
kfree(fwps_genie);
EXIT();
- return halStatus;
+ return ret;
}
static int iw_softap_setwpsie(struct net_device *dev,
diff --git a/CORE/HDD/src/wlan_hdd_oemdata.c b/CORE/HDD/src/wlan_hdd_oemdata.c
index da578bc..f5942ef 100644
--- a/CORE/HDD/src/wlan_hdd_oemdata.c
+++ b/CORE/HDD/src/wlan_hdd_oemdata.c
@@ -192,6 +192,12 @@
hdd_adapter_t *pAdapter = (netdev_priv(dev));
hdd_wext_state_t *pwextBuf = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
+ if (!capable(CAP_NET_ADMIN)) {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ FL("permission check failed"));
+ return -EPERM;
+ }
+
if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
{
VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
diff --git a/CORE/HDD/src/wlan_hdd_scan.c b/CORE/HDD/src/wlan_hdd_scan.c
index e31c1ce..da5f5f3 100644
--- a/CORE/HDD/src/wlan_hdd_scan.c
+++ b/CORE/HDD/src/wlan_hdd_scan.c
@@ -667,7 +667,8 @@
if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
- if(scanReq->essid_len) {
+ if(scanReq->essid_len &&
+ (scanReq->essid_len <= SIR_MAC_MAX_SSID_LENGTH)) {
scanRequest.SSIDs.numOfSSIDs = 1;
scanRequest.SSIDs.SSIDList =( tCsrSSIDInfo *)vos_mem_malloc(sizeof(tCsrSSIDInfo));
if(scanRequest.SSIDs.SSIDList) {
@@ -681,6 +682,10 @@
VOS_ASSERT(0);
}
}
+ else
+ {
+ hddLog(LOGE, FL("Invalid essid length : %d"), scanReq->essid_len);
+ }
}
/* set min and max channel time */
diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
index 34c50c8..2673462 100644
--- a/CORE/HDD/src/wlan_hdd_wext.c
+++ b/CORE/HDD/src/wlan_hdd_wext.c
@@ -7197,6 +7197,9 @@
hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d",
pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
+ if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
+ (pRequest->paramsData[i].dataLength))
+ return -EINVAL;
memcpy(&packetFilterSetReq.paramsData[i].compareData,
pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);