qcacld-3.0: Specify a policy when parsing SAR limits
In __wlan_hdd_set_sar_power_limits() there are two places where
nla_parse() is called to parse a sequence of attributes. Currently in
both places a policy is not specified. This prevents nla_parse() from
doing basic validation of the attributes, and in some circumstances
could result in a buffer overread. To avoid this issue define an
appropriate policy and use it in both invocations of nla_parse().
Change-Id: Ie74907f65d788f9ecd7302e37440121e36ad0ec3
CRs-Fixed: 2054757
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
index 3262480..5ed926e 100644
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -9540,6 +9540,15 @@
return ret;
}
+static const struct nla_policy
+sar_limits_policy[QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_MAX + 1] = {
+ [QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SAR_ENABLE] = {.type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_NUM_SPECS] = {.type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SPEC_BAND] = {.type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SPEC_CHAIN] = {.type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SPEC_MODULATION] = {.type = NLA_U32},
+ [QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_SPEC_POWER_LIMIT] = {.type = NLA_U32},
+};
/**
* __wlan_hdd_set_sar_power_limits() - Set SAR power limits
@@ -9574,7 +9583,7 @@
return -EINVAL;
if (nla_parse(tb, QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_MAX,
- data, data_len, NULL)) {
+ data, data_len, sar_limits_policy)) {
hdd_err("Invalid SAR attributes");
return -EINVAL;
}
@@ -9625,7 +9634,7 @@
if (nla_parse(sar_spec, QCA_WLAN_VENDOR_ATTR_SAR_LIMITS_MAX,
nla_data(sar_spec_list), nla_len(sar_spec_list),
- NULL)) {
+ sar_limits_policy)) {
hdd_err("nla_parse failed for SAR Spec list");
goto fail;
}