wlan: Avoid overread when configuring MAC addresses
Propagation from qcacld-2.0 to prima.
Currently there are multiple cfg80211 vendor commands where MAC
address attributes are defined in a nla_policy table with a type of
NLA_UNSPEC but without a minimum length. Add the proper minimum length
to avoid buffer overread.
Change-Id: I11ff2bd813dc4e6784a7cdee66a0c10ca0e69fcf
CRs-Fixed: 2065587
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 3d07abd..0687dec 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -2193,8 +2193,9 @@
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_GET_CACHED_SCAN_RESULTS_CONFIG_PARAM_MAX] =
{ .type = NLA_U32 },
- [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_BSSID] =
- { .type = NLA_UNSPEC },
+ [QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_BSSID] = {
+ .type = NLA_UNSPEC,
+ .len = HDD_MAC_ADDR_LEN},
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_LOW] =
{ .type = NLA_S32 },
[QCA_WLAN_VENDOR_ATTR_EXTSCAN_AP_THRESHOLD_PARAM_RSSI_HIGH] =
@@ -4454,7 +4455,9 @@
static const struct nla_policy
wlan_hdd_tdls_config_enable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAX +1] =
{
- [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAC_ADDR] = {.type = NLA_UNSPEC },
+ [QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_MAC_ADDR] = {
+ .type = NLA_UNSPEC,
+ .len = HDD_MAC_ADDR_LEN},
[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_CHANNEL] = {.type = NLA_S32 },
[QCA_WLAN_VENDOR_ATTR_TDLS_ENABLE_GLOBAL_OPERATING_CLASS] =
{.type = NLA_S32 },
@@ -4466,7 +4469,9 @@
static const struct nla_policy
wlan_hdd_tdls_config_disable_policy[QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAX +1] =
{
- [QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAC_ADDR] = {.type = NLA_UNSPEC },
+ [QCA_WLAN_VENDOR_ATTR_TDLS_DISABLE_MAC_ADDR] = {
+ .type = NLA_UNSPEC,
+ .len = HDD_MAC_ADDR_LEN},
};
@@ -4474,7 +4479,9 @@
wlan_hdd_tdls_config_state_change_policy[
QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAX +1] =
{
- [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAC_ADDR] = {.type = NLA_UNSPEC },
+ [QCA_WLAN_VENDOR_ATTR_TDLS_STATE_MAC_ADDR] = {
+ .type = NLA_UNSPEC,
+ .len = HDD_MAC_ADDR_LEN},
[QCA_WLAN_VENDOR_ATTR_TDLS_NEW_STATE] = {.type = NLA_S32 },
[QCA_WLAN_VENDOR_ATTR_TDLS_STATE_REASON] = {.type = NLA_S32 },
[QCA_WLAN_VENDOR_ATTR_TDLS_STATE_CHANNEL] = {.type = NLA_S32 },
@@ -4487,7 +4494,9 @@
wlan_hdd_tdls_config_get_status_policy[
QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAX +1] =
{
- [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAC_ADDR] = {.type = NLA_UNSPEC },
+ [QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_MAC_ADDR] = {
+ .type = NLA_UNSPEC,
+ .len = HDD_MAC_ADDR_LEN},
[QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_STATE] = {.type = NLA_S32 },
[QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_REASON] = {.type = NLA_S32 },
[QCA_WLAN_VENDOR_ATTR_TDLS_GET_STATUS_CHANNEL] = {.type = NLA_S32 },
@@ -4499,7 +4508,9 @@
static const struct nla_policy
wlan_hdd_mac_config[QCA_WLAN_VENDOR_ATTR_SET_SCANNING_MAC_OUI_MAX+1] =
{
- [QCA_WLAN_VENDOR_ATTR_SET_SCANNING_MAC_OUI] = {.type = NLA_UNSPEC },
+ [QCA_WLAN_VENDOR_ATTR_SET_SCANNING_MAC_OUI] = {
+ .type = NLA_UNSPEC,
+ .len = VOS_MAC_ADDR_FIRST_3_BYTES},
};
static int __wlan_hdd_cfg80211_set_spoofed_mac_oui(struct wiphy *wiphy,
@@ -5549,7 +5560,9 @@
nla_policy qca_wlan_vendor_attr[QCA_WLAN_VENDOR_ATTR_MAX+1] =
{
[QCA_WLAN_VENDOR_ATTR_ROAMING_POLICY] = { .type = NLA_U32 },
- [QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = { .type = NLA_UNSPEC },
+ [QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = {
+ .type = NLA_UNSPEC,
+ .len = HDD_MAC_ADDR_LEN},
};
static int __wlan_hdd_cfg80211_firmware_roaming(struct wiphy *wiphy,
@@ -6539,8 +6552,9 @@
static const struct
nla_policy
qca_wlan_vendor_attr_policy[QCA_WLAN_VENDOR_ATTR_MAX+1] = {
- [QCA_WLAN_VENDOR_ATTR_MAC_ADDR] =
- { .type = NLA_BINARY, .len = VOS_MAC_ADDR_SIZE },
+ [QCA_WLAN_VENDOR_ATTR_MAC_ADDR] = {
+ .type = NLA_BINARY,
+ .len = HDD_MAC_ADDR_LEN},
};
/**