evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge "wcnss: fix the potential buffer overflow in wlan ctrl data process"

Browse source
This commit is contained in:
Linux Build Service Account 2017-12-06 07:00:32 -08:00 committed by Gerrit - the friendly Code Review server
commit 7099c46a66
1 changed files with 41 additions and 50 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

91
drivers/net/wireless/wcnss/wcnss_wlan.c
View file

@ -203,6 +203,7 @@ static DEFINE_SPINLOCK(reg_spinlock);
#define WCNSS_MAX_BUILD_VER_LEN 256 #define WCNSS_MAX_BUILD_VER_LEN 256
#define WCNSS_MAX_CMD_LEN (128) #define WCNSS_MAX_CMD_LEN (128)
#define WCNSS_MIN_CMD_LEN (3) #define WCNSS_MIN_CMD_LEN (3)
#define WCNSS_CMD_INFO_LEN 2
/* control messages from userspace */ /* control messages from userspace */
#define WCNSS_USR_CTRL_MSG_START 0x00000000 #define WCNSS_USR_CTRL_MSG_START 0x00000000
@ -210,7 +211,6 @@ static DEFINE_SPINLOCK(reg_spinlock);
#define WCNSS_USR_WLAN_MAC_ADDR (WCNSS_USR_CTRL_MSG_START + 3) #define WCNSS_USR_WLAN_MAC_ADDR (WCNSS_USR_CTRL_MSG_START + 3)
#define MAC_ADDRESS_STR "%02x:%02x:%02x:%02x:%02x:%02x" #define MAC_ADDRESS_STR "%02x:%02x:%02x:%02x:%02x:%02x"
#define SHOW_MAC_ADDRESS_STR "%02x:%02x:%02x:%02x:%02x:%02x\n"
#define WCNSS_USER_MAC_ADDR_LENGTH 18 #define WCNSS_USER_MAC_ADDR_LENGTH 18
/* message types */ /* message types */
@ -473,11 +473,7 @@ static ssize_t wcnss_wlan_macaddr_store(struct device *dev,
(char *)&macAddr[index], sizeof(char)); (char *)&macAddr[index], sizeof(char));
} }
pr_info("%s: Write MAC Addr:" MAC_ADDRESS_STR "\n", __func__, pr_info("%s: Write MAC Addr: %pM\n", __func__, penv->wlan_nv_macAddr);
penv->wlan_nv_macAddr[0], penv->wlan_nv_macAddr[1],
penv->wlan_nv_macAddr[2], penv->wlan_nv_macAddr[3],
penv->wlan_nv_macAddr[4], penv->wlan_nv_macAddr[5]);
return count; return count;
} }
@ -487,10 +483,7 @@ static ssize_t wcnss_wlan_macaddr_show(struct device *dev,
if (!penv) if (!penv)
return -ENODEV; return -ENODEV;
return scnprintf(buf, PAGE_SIZE, SHOW_MAC_ADDRESS_STR, return scnprintf(buf, PAGE_SIZE, "%pM\n", penv->wlan_nv_macAddr);
penv->wlan_nv_macAddr[0], penv->wlan_nv_macAddr[1],
penv->wlan_nv_macAddr[2], penv->wlan_nv_macAddr[3],
penv->wlan_nv_macAddr[4], penv->wlan_nv_macAddr[5]);
} }
static DEVICE_ATTR(wcnss_mac_addr, S_IRUSR | S_IWUSR, static DEVICE_ATTR(wcnss_mac_addr, S_IRUSR | S_IWUSR,
@ -1653,10 +1646,8 @@ int wcnss_get_wlan_mac_address(char mac_addr[WLAN_MAC_ADDR_SIZE])
return -ENODEV; return -ENODEV;
memcpy(mac_addr, penv->wlan_nv_macAddr, WLAN_MAC_ADDR_SIZE); memcpy(mac_addr, penv->wlan_nv_macAddr, WLAN_MAC_ADDR_SIZE);
pr_debug("%s: Get MAC Addr:" MAC_ADDRESS_STR "\n", __func__, pr_debug("%s: Get MAC Addr: %pM\n", __func__, penv->wlan_nv_macAddr);
penv->wlan_nv_macAddr[0], penv->wlan_nv_macAddr[1],
penv->wlan_nv_macAddr[2], penv->wlan_nv_macAddr[3],
penv->wlan_nv_macAddr[4], penv->wlan_nv_macAddr[5]);
return 0; return 0;
} }
EXPORT_SYMBOL(wcnss_get_wlan_mac_address); EXPORT_SYMBOL(wcnss_get_wlan_mac_address);
@ -2625,57 +2616,57 @@ static int wcnss_ctrl_open(struct inode *inode, struct file *file)
return rc; return rc;
} }
void process_usr_ctrl_cmd(u8 *buf, size_t len)
{
u16 cmd = buf[0] << 8 | buf[1];
switch (cmd) {
case WCNSS_USR_HAS_CAL_DATA:
if (1 < buf[2])
pr_err("%s: Invalid data for cal %d\n", __func__,
buf[2]);
has_calibrated_data = buf[2];
break;
case WCNSS_USR_WLAN_MAC_ADDR:
memcpy(&penv->wlan_nv_macAddr, &buf[2],
sizeof(penv->wlan_nv_macAddr));
pr_debug("%s: MAC Addr:" MAC_ADDRESS_STR "\n", __func__,
penv->wlan_nv_macAddr[0], penv->wlan_nv_macAddr[1],
penv->wlan_nv_macAddr[2], penv->wlan_nv_macAddr[3],
penv->wlan_nv_macAddr[4], penv->wlan_nv_macAddr[5]);
break;
default:
pr_err("%s: Invalid command %d\n", __func__, cmd);
break;
}
}
static ssize_t wcnss_ctrl_write(struct file *fp, const char __user static ssize_t wcnss_ctrl_write(struct file *fp, const char __user
*user_buffer, size_t count, loff_t *position) *user_buffer, size_t count, loff_t *position)
{ {
int rc = 0; int rc = 0;
u16 cmd;
u8 buf[WCNSS_MAX_CMD_LEN]; u8 buf[WCNSS_MAX_CMD_LEN];
if (!penv || !penv->ctrl_device_opened || WCNSS_MAX_CMD_LEN < count if (!penv || !penv->ctrl_device_opened ||
|| WCNSS_MIN_CMD_LEN > count) WCNSS_MAX_CMD_LEN < count || WCNSS_MIN_CMD_LEN > count)
return -EFAULT; return -EFAULT;
mutex_lock(&penv->ctrl_lock); mutex_lock(&penv->ctrl_lock);
rc = copy_from_user(buf, user_buffer, count); rc = copy_from_user(buf, user_buffer, count);
if (0 == rc) if (rc) {
process_usr_ctrl_cmd(buf, count); pr_err("%s: Failed to copy ctrl data\n", __func__);
goto exit;
}
cmd = buf[0] << 8 | buf[1];
switch (cmd) {
case WCNSS_USR_HAS_CAL_DATA:
if (buf[2] > 1) {
pr_err("%s: Invalid cal data %d\n", __func__, buf[2]);
rc = -EINVAL;
goto exit;
}
has_calibrated_data = buf[2];
break;
case WCNSS_USR_WLAN_MAC_ADDR:
if ((count - WCNSS_CMD_INFO_LEN) != WLAN_MAC_ADDR_SIZE) {
pr_err("%s: Invalid Mac addr %d\n", __func__, buf[2]);
rc = -EINVAL;
goto exit;
}
memcpy(&penv->wlan_nv_macAddr, &buf[2],
sizeof(penv->wlan_nv_macAddr));
pr_debug("%s:MAC Addr: %pM\n", __func__, penv->wlan_nv_macAddr);
break;
default:
pr_err("%s: Invalid command %d\n", __func__, cmd);
rc = -EINVAL;
break;
}
exit:
mutex_unlock(&penv->ctrl_lock); mutex_unlock(&penv->ctrl_lock);
return rc; return rc;
} }
static const struct file_operations wcnss_ctrl_fops = { static const struct file_operations wcnss_ctrl_fops = {
.owner = THIS_MODULE, .owner = THIS_MODULE,
.open = wcnss_ctrl_open, .open = wcnss_ctrl_open,