brcmfmac: add length checks in scheduled scan result handler

commit 4835f37e3bafc138f8bfa3cbed2920dd56fed283 upstream.

Assure the event data buffer is long enough to hold the array
of netinfo items and that SSID length does not exceed the maximum
of 32 characters as per 802.11 spec.

Reviewed-by: Hante Meuleman <hante.meuleman@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
[bwh: Backported to 4.9:
 - Move the assignment to "data" along with the assignment to "netinfo_start"
   that depends on it
 - Adjust context, indentation]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index 8f8fe6f2af5b0a74700ee2be5850d8139d546ed3..8187d27a9c1c2453669a8073edf744549b1a9517 100644 (file)
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -3220,6 +3220,7 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
        struct brcmf_pno_scanresults_le *pfn_result;
        u32 result_count;
        u32 status;
+       u32 datalen;
 
        brcmf_dbg(SCAN, "Enter\n");
 
@@ -3245,6 +3246,14 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
        if (result_count > 0) {
                int i;
 
+               data += sizeof(struct brcmf_pno_scanresults_le);
+               netinfo_start = (struct brcmf_pno_net_info_le *)data;
+               datalen = e->datalen - ((void *)netinfo_start - (void *)pfn_result);
+               if (datalen < result_count * sizeof(*netinfo)) {
+                       brcmf_err("insufficient event data\n");
+                       goto out_err;
+               }
+
                request = kzalloc(sizeof(*request), GFP_KERNEL);
                ssid = kcalloc(result_count, sizeof(*ssid), GFP_KERNEL);
                channel = kcalloc(result_count, sizeof(*channel), GFP_KERNEL);
@@ -3254,9 +3263,6 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
                }
 
                request->wiphy = wiphy;
-               data += sizeof(struct brcmf_pno_scanresults_le);
-               netinfo_start = (struct brcmf_pno_net_info_le *)data;
-
                for (i = 0; i < result_count; i++) {
                        netinfo = &netinfo_start[i];
                        if (!netinfo) {
@@ -3266,6 +3272,8 @@ brcmf_notify_sched_scan_results(struct brcmf_if *ifp,
                                goto out_err;
                        }
 
+                       if (netinfo->SSID_len > IEEE80211_MAX_SSID_LEN)
+                               netinfo->SSID_len = IEEE80211_MAX_SSID_LEN;
                        brcmf_dbg(SCAN, "SSID:%s Channel:%d\n",
                                  netinfo->SSID, netinfo->channel);
                        memcpy(ssid[i].ssid, netinfo->SSID, netinfo->SSID_len);