FPII-2726:qcacld-2.0: Use heap memory for station_info instead of stack CVE-2016-8452
A-32506396
(Qualcomm ref#: CR#1050323)
qcacld-2.0: Use heap memory for station_info instead of stack
From kernel 3.19-rc4, size of struct station_info is around 600 bytes,
so stack frame size of such routine use this struct will easily
exceed 1024 bytes, the default value of stack frame size.
So use heap memory for this struct instead.
Change-Id: I9da8a96253594c7a5b3f468d0389ac77567e682a
diff --git a/CORE/HDD/src/wlan_hdd_assoc.c b/CORE/HDD/src/wlan_hdd_assoc.c
index 07ea0ab..69b6e80 100644
--- a/CORE/HDD/src/wlan_hdd_assoc.c
+++ b/CORE/HDD/src/wlan_hdd_assoc.c
@@ -2215,7 +2215,7 @@
case eCSR_ROAM_RESULT_IBSS_NEW_PEER:
{
hdd_station_ctx_t *pHddStaCtx = WLAN_HDD_GET_STATION_CTX_PTR(pAdapter);
- struct station_info staInfo;
+ struct station_info *stainfo;
pr_info ( "IBSS New Peer indication from SME "
"with peerMac " MAC_ADDRESS_STR " BSSID: " MAC_ADDRESS_STR " and stationID= %d",
@@ -2249,14 +2249,21 @@
vosStatus, vosStatus );
}
pHddStaCtx->ibss_sta_generation++;
- memset(&staInfo, 0, sizeof(staInfo));
- staInfo.filled = 0;
- staInfo.generation = pHddStaCtx->ibss_sta_generation;
-
+ stainfo = vos_mem_malloc(sizeof(*stainfo));
+ if (stainfo == NULL) {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ "memory allocation for station_info failed");
+ return eHAL_STATUS_FAILED_ALLOC;
+ }
+ memset(stainfo, 0, sizeof(*stainfo));
+ stainfo->filled = 0;
+ stainfo->generation = pHddStaCtx->ibss_sta_generation;
+
cfg80211_new_sta(pAdapter->dev,
- (const u8 *)pRoamInfo->peerMac,
- &staInfo, GFP_KERNEL);
-
+ (const u8 *)pRoamInfo->peerMac,
+ stainfo, GFP_KERNEL);
+ vos_mem_free(stainfo);
+
if ( eCSR_ENCRYPT_TYPE_WEP40_STATICKEY == pHddStaCtx->ibss_enc_key.encType
||eCSR_ENCRYPT_TYPE_WEP104_STATICKEY == pHddStaCtx->ibss_enc_key.encType
||eCSR_ENCRYPT_TYPE_TKIP == pHddStaCtx->ibss_enc_key.encType
diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
index 19517a3..6620bc6 100644
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -910,21 +910,28 @@
#endif
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(2,6,38))
{
- struct station_info staInfo;
v_U16_t iesLen = pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.iesLen;
- memset(&staInfo, 0, sizeof(staInfo));
if (iesLen <= MAX_ASSOC_IND_IE_LEN )
{
- staInfo.assoc_req_ies =
+ struct station_info *stainfo;
+ stainfo = vos_mem_malloc(sizeof(*stainfo));
+ if (stainfo == NULL) {
+ hddLog(LOGE, FL("alloc station_info failed"));
+ return VOS_STATUS_E_NOMEM;
+ }
+ memset(stainfo, 0, sizeof(*stainfo));
+ stainfo->assoc_req_ies =
(const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.ies[0];
- staInfo.assoc_req_ies_len = iesLen;
+ stainfo->assoc_req_ies_len = iesLen;
#if (LINUX_VERSION_CODE >= KERNEL_VERSION(3,0,31))
- staInfo.filled |= STATION_INFO_ASSOC_REQ_IES;
+ stainfo->filled |= STATION_INFO_ASSOC_REQ_IES;
#endif
cfg80211_new_sta(dev,
(const u8 *)&pSapEvent->sapevt.sapStationAssocReassocCompleteEvent.staMac.bytes[0],
- &staInfo, GFP_KERNEL);
+ stainfo, GFP_KERNEL);
+ vos_mem_free(stainfo);
+
}
else
{