Merge "FPII-1877:CR:930952-Improper access control on WLAN_SET_BAND_CONFIG (SIOCIWFIRSTPRIV + 25)" into fp/fp2_5.1_int
diff --git a/CORE/HDD/src/wlan_hdd_ftm.c b/CORE/HDD/src/wlan_hdd_ftm.c
index c0250ea..18b8d8f 100644
--- a/CORE/HDD/src/wlan_hdd_ftm.c
+++ b/CORE/HDD/src/wlan_hdd_ftm.c
@@ -5031,6 +5031,13 @@
hdd_adapter_t *pAdapter;
struct iw_point s_priv_data;
+ if (!capable(CAP_NET_ADMIN))
+ {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ FL("permission check failed"));
+ return -EPERM;
+ }
+
ret =0;
/* helper function to get iwreq_data with compat handling. */
if (hdd_priv_get_data(&s_priv_data, wrqu))
diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
index 9f40cb3..23226e7 100644
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -2252,6 +2252,13 @@
v_U8_t *peerMacAddr;
ENTER();
+
+ if (!capable(CAP_NET_ADMIN)) {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ FL("permission check failed"));
+ return -EPERM;
+ }
+
/* iwpriv tool or framework calls this ioctl with
* data passed in extra (less than 16 octets);
*/
@@ -2351,6 +2358,13 @@
VOS_STATUS status;
int ret = 0; /* success */
+ if (!capable(CAP_NET_ADMIN))
+ {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ FL("permission check failed"));
+ return -EPERM;
+ }
+
status = WLANSAP_SetChannelRange(hHal,startChannel,endChannel,band);
if(status != VOS_STATUS_SUCCESS)
{
@@ -3042,8 +3056,16 @@
u_int8_t WPSIeType;
u_int16_t length;
struct iw_point s_priv_data;
+ int ret = 0;
+
ENTER();
+ if (!capable(CAP_NET_ADMIN)) {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ FL("permission check failed"));
+ return -EPERM;
+ }
+
/* helper function to get iwreq_data with compat handling. */
if (hdd_priv_get_data(&s_priv_data, wrqu))
{
@@ -3087,9 +3109,8 @@
case DOT11F_EID_WPA:
if (wps_genie[1] < 2 + 4)
{
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
{
@@ -3147,6 +3168,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > sizeof(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSBeaconIE.UUID_E, pos, length);
pSap_WPSIe->sapwpsie.sapWPSBeaconIE.FieldPresent |= WPS_BEACON_UUIDE_PRESENT;
pos += length;
@@ -3161,9 +3187,8 @@
default:
hddLog (LOGW, "UNKNOWN TLV in WPS IE(%x)", (*pos<<8 | *(pos+1)));
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
}
}
@@ -3175,10 +3200,9 @@
default:
hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, wps_genie[0]);
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return 0;
- }
+ ret = -EINVAL;
+ goto exit;
+ }
}
else if( wps_genie[0] == eQC_WPS_PROBE_RSP_IE)
{
@@ -3189,9 +3213,8 @@
case DOT11F_EID_WPA:
if (wps_genie[1] < 2 + 4)
{
- vos_mem_free(pSap_WPSIe);
- kfree(fwps_genie);
- return -EINVAL;
+ ret = -EINVAL;
+ goto exit;
}
else if (memcmp(&wps_genie[2], "\x00\x50\xf2\x04", 4) == 0)
{
@@ -3255,6 +3278,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.UUID_E, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_UUIDE_PRESENT;
pos += length;
@@ -3264,6 +3292,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.num_name = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.Manufacture.name, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MANUFACTURE_PRESENT;
@@ -3274,6 +3307,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelName.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNAME_PRESENT;
@@ -3283,6 +3321,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.ModelNumber.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_MODELNUMBER_PRESENT;
@@ -3292,6 +3335,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.SerialNumber.text, pos, length);
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.FieldPresent |= WPS_PROBRSP_SERIALNUMBER_PRESENT;
@@ -3315,6 +3363,11 @@
pos += 2;
length = *pos<<8 | *(pos+1);
pos += 2;
+ if (length > (sizeof(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text)))
+ {
+ ret = -EINVAL;
+ goto exit;
+ }
pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.num_text = length;
vos_mem_copy(pSap_WPSIe->sapwpsie.sapWPSProbeRspIE.DeviceName.text, pos, length);
pos += length;
@@ -3346,6 +3399,8 @@
} // switch
}
halStatus = WLANSAP_Set_WpsIe(pVosContext, pSap_WPSIe);
+ if (halStatus != eHAL_STATUS_SUCCESS)
+ ret = -EINVAL;
pHostapdState = WLAN_HDD_GET_HOSTAP_STATE_PTR(pHostapdAdapter);
if( pHostapdState->bCommit && WPSIeType == eQC_WPS_PROBE_RSP_IE)
{
@@ -3354,10 +3409,11 @@
WLANSAP_Update_WpsIe ( pVosContext );
}
+exit:
vos_mem_free(pSap_WPSIe);
kfree(fwps_genie);
EXIT();
- return halStatus;
+ return ret;
}
static int iw_softap_setwpsie(struct net_device *dev,
diff --git a/CORE/HDD/src/wlan_hdd_oemdata.c b/CORE/HDD/src/wlan_hdd_oemdata.c
index da578bc..f5942ef 100644
--- a/CORE/HDD/src/wlan_hdd_oemdata.c
+++ b/CORE/HDD/src/wlan_hdd_oemdata.c
@@ -192,6 +192,12 @@
hdd_adapter_t *pAdapter = (netdev_priv(dev));
hdd_wext_state_t *pwextBuf = WLAN_HDD_GET_WEXT_STATE_PTR(pAdapter);
+ if (!capable(CAP_NET_ADMIN)) {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ FL("permission check failed"));
+ return -EPERM;
+ }
+
if ((WLAN_HDD_GET_CTX(pAdapter))->isLogpInProgress)
{
VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_FATAL,
diff --git a/CORE/HDD/src/wlan_hdd_scan.c b/CORE/HDD/src/wlan_hdd_scan.c
index e31c1ce..da5f5f3 100644
--- a/CORE/HDD/src/wlan_hdd_scan.c
+++ b/CORE/HDD/src/wlan_hdd_scan.c
@@ -667,7 +667,8 @@
if (wrqu->data.flags & IW_SCAN_THIS_ESSID) {
- if(scanReq->essid_len) {
+ if(scanReq->essid_len &&
+ (scanReq->essid_len <= SIR_MAC_MAX_SSID_LENGTH)) {
scanRequest.SSIDs.numOfSSIDs = 1;
scanRequest.SSIDs.SSIDList =( tCsrSSIDInfo *)vos_mem_malloc(sizeof(tCsrSSIDInfo));
if(scanRequest.SSIDs.SSIDList) {
@@ -681,6 +682,10 @@
VOS_ASSERT(0);
}
}
+ else
+ {
+ hddLog(LOGE, FL("Invalid essid length : %d"), scanReq->essid_len);
+ }
}
/* set min and max channel time */
diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
index 7f5c37a..b1b0957 100644
--- a/CORE/HDD/src/wlan_hdd_wext.c
+++ b/CORE/HDD/src/wlan_hdd_wext.c
@@ -5102,6 +5102,12 @@
return -EBUSY;
}
+ if (!capable(CAP_NET_ADMIN)){
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ FL("permission check failed"));
+ return -EPERM;
+ }
+
/* helper function to get iwreq_data with compat handling. */
if (hdd_priv_get_data(&s_priv_data, wrqu))
{
@@ -7197,6 +7203,9 @@
hddLog(VOS_TRACE_LEVEL_INFO, "Data Offset %d Data Len %d",
pRequest->paramsData[i].dataOffset, pRequest->paramsData[i].dataLength);
+ if ((sizeof(packetFilterSetReq.paramsData[i].compareData)) <
+ (pRequest->paramsData[i].dataLength))
+ return -EINVAL;
memcpy(&packetFilterSetReq.paramsData[i].compareData,
pRequest->paramsData[i].compareData, pRequest->paramsData[i].dataLength);
@@ -7520,6 +7529,12 @@
int ret;
struct iw_point s_priv_data;
+ if (!capable(CAP_NET_ADMIN)) {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ FL("permission check failed"));
+ return -EPERM;
+ }
+
if (hdd_priv_get_data(&s_priv_data, wrqu))
{
return -EINVAL;