net: wireless: bcmdhd: adding bssid count NL attribute in SWC config
Insun Song [Fri, 21 Apr 2017 21:45:12 +0000 (14:45 -0700)]
adding new NL attribute item which contain SWC BSSIDs count. This help for
kernel driver to know it early before parsing whole NL buffer. and sort
out security vulnerability cases where malicious buffer injected.

Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 34973477
Change-Id: I1db053e722876e4b97d8f25fdc881279fa467bf6

bcmdhd/wifi_hal/gscan.cpp

index 07155e2..73bfe8c 100644 (file)
@@ -1436,30 +1436,38 @@ public:
         if (result < 0) {
             return result;
         }
-
-        struct nlattr * attr = request.attr_start(GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS);
-
-        for (int i = 0; i < mParams.num_bssid; i++) {
-            nlattr *attr2 = request.attr_start(i);
-            if (attr2 == NULL) {
+        result = request.put_u16(GSCAN_ATTRIBUTE_NUM_BSSID, mParams.num_bssid);
+        if (result < 0) {
+            return result;
+        }
+        if (mParams.num_bssid != 0) {
+            nlattr* attr = request.attr_start(GSCAN_ATTRIBUTE_SIGNIFICANT_CHANGE_BSSIDS);
+            if (attr == NULL) {
                 return WIFI_ERROR_OUT_OF_MEMORY;
             }
-            result = request.put_addr(GSCAN_ATTRIBUTE_BSSID, mParams.ap[i].bssid);
-            if (result < 0) {
-                return result;
-            }
-            result = request.put_u8(GSCAN_ATTRIBUTE_RSSI_HIGH, mParams.ap[i].high);
-            if (result < 0) {
-                return result;
-            }
-            result = request.put_u8(GSCAN_ATTRIBUTE_RSSI_LOW, mParams.ap[i].low);
-            if (result < 0) {
-                return result;
+
+            for (int i = 0; i < mParams.num_bssid; i++) {
+                nlattr* attr2 = request.attr_start(i);
+                if (attr2 == NULL) {
+                    return WIFI_ERROR_OUT_OF_MEMORY;
+                }
+                result = request.put_addr(GSCAN_ATTRIBUTE_BSSID, mParams.ap[i].bssid);
+                if (result < 0) {
+                    return result;
+                }
+                result = request.put_u8(GSCAN_ATTRIBUTE_RSSI_HIGH, mParams.ap[i].high);
+                if (result < 0) {
+                    return result;
+                }
+                result = request.put_u8(GSCAN_ATTRIBUTE_RSSI_LOW, mParams.ap[i].low);
+                if (result < 0) {
+                    return result;
+                }
+                request.attr_end(attr2);
             }
-            request.attr_end(attr2);
-        }
 
-        request.attr_end(attr);
+            request.attr_end(attr);
+        }
         request.attr_end(data);
 
         return result;