net: wireless: bcmdhd: Heap overflow in wl_run_escan
Sudhir Kohalli [Wed, 10 May 2017 17:15:45 +0000 (10:15 -0700)]
1) The default_chan_list buffer overflow is avoided by checking
n_nodfs index does not exceed num_chans, which is the length
of default_chan_list buffer.
2) The SSID length check 32(max limit) is done and then the SSID
name copied in extra buffer is null terminated. The extra buffer
is allocated a length of of 33 in wl_iw_ioctl.c.

Bug: 34197514
Bug: 34199963
Bug: 34198729

Bug 1887273

Change-Id: Ic583c12b00523186718bc891fc3d9505a07738b6
Signed-off-by: Sudhir Kohalli <sudhir.kohalli@broadcom.com>
Signed-off-by: Mohan Thadikamalla <mohant@nvidia.com>
Reviewed-on: http://git-master/r/1480396
Reviewed-by: Neil Patel <neilp@nvidia.com>
GVS: Gerrit_Virtual_Submit
Reviewed-by: Manish Tuteja <mtuteja@nvidia.com>

drivers/net/wireless/bcmdhd/wl_cfg80211.c

index dadea9a..5f4a1cd 100644 (file)
@@ -2459,6 +2459,9 @@ wl_run_escan(struct bcm_cfg80211 *cfg, struct net_device *ndev,
                                                /* allows only supported channel on
                                                *  current reguatory
                                                */
+                                               if (n_nodfs >= num_chans)
+                                                       break;
+
                                                if (channel == (dtoh32(list->element[j])))
                                                        default_chan_list[n_nodfs++] =
                                                                channel;
@@ -9864,7 +9867,12 @@ wl_notify_pfn_status(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
 {
        struct net_device *ndev = NULL;
 
-       WL_ERR((">>> PNO Event\n"));
+       if (!data) {
+               WL_ERR(("Data is NULL!\n"));
+               return 0;
+       }
+
+       WL_DBG((">>> PNO Event\n"));
 
        ndev = cfgdev_to_wlc_ndev(cfgdev, cfg);