qcacld-3.0: Avoid buffer overread when parsing PNO commands
There are currently three issues which can result in a buffer overread
when processing PNO vendor commands:
1) __wlan_hdd_cfg80211_set_passpoint_list() specifies the wrong policy
when invoking nla_parse().
2) hdd_extscan_passpoint_fill_network_list() does not specify a policy
when invoking nla_parse().
3) __wlan_hdd_cfg80211_set_epno_list() specifies a policy but not all
of the attributes that are parsed are present in the policy.
To prevent buffer overread:
1) Update __wlan_hdd_cfg80211_set_passpoint_list() and
hdd_extscan_passpoint_fill_network_list() to use the policy
wlan_hdd_pno_config_policy.
2) Update wlan_hdd_pno_config_policy to contain all the fixed-length
attributes needed by __wlan_hdd_cfg80211_set_passpoint_list(),
hdd_extscan_passpoint_fill_network_list(), and
__wlan_hdd_cfg80211_set_epno_list().
Change-Id: I4a20e77ce87967ae78323b83a2aa9085fed2647f
CRs-Fixed: 2054770
diff --git a/core/hdd/src/wlan_hdd_ext_scan.c b/core/hdd/src/wlan_hdd_ext_scan.c
index b364427..4a3cdca3 100644
--- a/core/hdd/src/wlan_hdd_ext_scan.c
+++ b/core/hdd/src/wlan_hdd_ext_scan.c
@@ -135,6 +135,12 @@
static const struct nla_policy
wlan_hdd_pno_config_policy[QCA_WLAN_VENDOR_ATTR_PNO_MAX + 1] = {
+ [QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_LIST_PARAM_NUM] = {
+ .type = NLA_U32
+ },
+ [QCA_WLAN_VENDOR_ATTR_PNO_PASSPOINT_NETWORK_PARAM_ID] = {
+ .type = NLA_U32
+ },
[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_NUM_NETWORKS] = {
.type = NLA_U32
},
@@ -148,6 +154,27 @@
[QCA_WLAN_VENDOR_ATTR_PNO_SET_LIST_PARAM_EPNO_NETWORK_AUTH_BIT] = {
.type = NLA_U8
},
+ [QCA_WLAN_VENDOR_ATTR_EPNO_MIN5GHZ_RSSI] = {
+ .type = NLA_U32
+ },
+ [QCA_WLAN_VENDOR_ATTR_EPNO_MIN24GHZ_RSSI] = {
+ .type = NLA_U32
+ },
+ [QCA_WLAN_VENDOR_ATTR_EPNO_INITIAL_SCORE_MAX] = {
+ .type = NLA_U32
+ },
+ [QCA_WLAN_VENDOR_ATTR_EPNO_CURRENT_CONNECTION_BONUS] = {
+ .type = NLA_U32
+ },
+ [QCA_WLAN_VENDOR_ATTR_EPNO_SAME_NETWORK_BONUS] = {
+ .type = NLA_U32
+ },
+ [QCA_WLAN_VENDOR_ATTR_EPNO_SECURE_BONUS] = {
+ .type = NLA_U32
+ },
+ [QCA_WLAN_VENDOR_ATTR_EPNO_BAND5GHZ_BONUS] = {
+ .type = NLA_U32
+ },
};
static const struct nla_policy
@@ -3997,8 +4024,9 @@
}
if (nla_parse(network,
- QCA_WLAN_VENDOR_ATTR_PNO_MAX,
- nla_data(networks), nla_len(networks), NULL)) {
+ QCA_WLAN_VENDOR_ATTR_PNO_MAX,
+ nla_data(networks), nla_len(networks),
+ wlan_hdd_pno_config_policy)) {
hdd_err("nla_parse failed");
return -EINVAL;
}
@@ -4096,7 +4124,7 @@
}
if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_PNO_MAX, data, data_len,
- wlan_hdd_extscan_config_policy)) {
+ wlan_hdd_pno_config_policy)) {
hdd_err("Invalid ATTR");
return -EINVAL;
}