wlan: Avoid extscan bucket spec overread
Propagation from qcacld-2.0 to prima.
Currently in hdd_extscan_start_fill_bucket_channel_spec() the
QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC attribute is parsed without
specifying a policy. This means that no policy is enforced.
Subsequently the values of the nested attributes are retrieved, but
again without any length limits enforced. This could result in a
buffer overread.
To prevent this issue:
* Parse using the existing policy wlan_hdd_extscan_config_policy
* Update the policy to add missing attributes
Change-Id: I3b20cb28d1beccd2e804b022b531413ad1edb533
CRs-Fixed: 2058442
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index e826f0c..c23e376 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -3815,8 +3815,9 @@
nla_for_each_nested(buckets,
tb[QCA_WLAN_VENDOR_ATTR_EXTSCAN_BUCKET_SPEC], rem1) {
if (nla_parse(bucket,
- QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
- nla_data(buckets), nla_len(buckets), NULL)) {
+ QCA_WLAN_VENDOR_ATTR_EXTSCAN_SUBCMD_CONFIG_PARAM_MAX,
+ nla_data(buckets), nla_len(buckets),
+ wlan_hdd_extscan_config_policy)) {
hddLog(LOGE, FL("nla_parse failed"));
return -EINVAL;
}