+From: Hante Meuleman <meuleman@broadcom.com>
+Date: Wed, 17 Feb 2016 11:26:54 +0100
+Subject: [PATCH] brcmfmac: Add length checks on firmware events
+
+Add additional length checks on firmware events to create more
+robust code.
+
+Reviewed-by: Arend Van Spriel <arend@broadcom.com>
+Reviewed-by: Franky (Zhenhui) Lin <frankyl@broadcom.com>
+Reviewed-by: Pieter-Paul Giesberts <pieterpg@broadcom.com>
+Reviewed-by: Lei Zhang <leizh@broadcom.com>
+Signed-off-by: Hante Meuleman <meuleman@broadcom.com>
+Signed-off-by: Arend van Spriel <arend@broadcom.com>
+Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
+---
+
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+@@ -3092,6 +3092,11 @@ brcmf_notify_sched_scan_results(struct b
+
+ brcmf_dbg(SCAN, "Enter\n");
+
++ if (e->datalen < (sizeof(*pfn_result) + sizeof(*netinfo))) {
++ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
++ return 0;
++ }
++
+ if (e->event_code == BRCMF_E_PFN_NET_LOST) {
+ brcmf_dbg(SCAN, "PFN NET LOST event. Do Nothing\n");
+ return 0;
+@@ -3415,6 +3420,11 @@ brcmf_wowl_nd_results(struct brcmf_if *i
+
+ brcmf_dbg(SCAN, "Enter\n");
+
++ if (e->datalen < (sizeof(*pfn_result) + sizeof(*netinfo))) {
++ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
++ return 0;
++ }
++
+ pfn_result = (struct brcmf_pno_scanresults_le *)data;
+
+ if (e->event_code == BRCMF_E_PFN_NET_LOST) {
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.c
+@@ -26,50 +26,6 @@
+ #include "fwil.h"
+
+ /**
+- * struct brcm_ethhdr - broadcom specific ether header.
+- *
+- * @subtype: subtype for this packet.
+- * @length: TODO: length of appended data.
+- * @version: version indication.
+- * @oui: OUI of this packet.
+- * @usr_subtype: subtype for this OUI.
+- */
+-struct brcm_ethhdr {
+- __be16 subtype;
+- __be16 length;
+- u8 version;
+- u8 oui[3];
+- __be16 usr_subtype;
+-} __packed;
+-
+-struct brcmf_event_msg_be {
+- __be16 version;
+- __be16 flags;
+- __be32 event_type;
+- __be32 status;
+- __be32 reason;
+- __be32 auth_type;
+- __be32 datalen;
+- u8 addr[ETH_ALEN];
+- char ifname[IFNAMSIZ];
+- u8 ifidx;
+- u8 bsscfgidx;
+-} __packed;
+-
+-/**
+- * struct brcmf_event - contents of broadcom event packet.
+- *
+- * @eth: standard ether header.
+- * @hdr: broadcom specific ether header.
+- * @msg: common part of the actual event message.
+- */
+-struct brcmf_event {
+- struct ethhdr eth;
+- struct brcm_ethhdr hdr;
+- struct brcmf_event_msg_be msg;
+-} __packed;
+-
+-/**
+ * struct brcmf_fweh_queue_item - event item on event queue.
+ *
+ * @q: list element for queuing.
+@@ -85,6 +41,7 @@ struct brcmf_fweh_queue_item {
+ u8 ifidx;
+ u8 ifaddr[ETH_ALEN];
+ struct brcmf_event_msg_be emsg;
++ u32 datalen;
+ u8 data[0];
+ };
+
+@@ -294,6 +251,11 @@ static void brcmf_fweh_event_worker(stru
+ brcmf_dbg_hex_dump(BRCMF_EVENT_ON(), event->data,
+ min_t(u32, emsg.datalen, 64),
+ "event payload, len=%d\n", emsg.datalen);
++ if (emsg.datalen > event->datalen) {
++ brcmf_err("event invalid length header=%d, msg=%d\n",
++ event->datalen, emsg.datalen);
++ goto event_free;
++ }
+
+ /* special handling of interface event */
+ if (event->code == BRCMF_E_IF) {
+@@ -439,7 +401,8 @@ int brcmf_fweh_activate_events(struct br
+ * dispatch the event to a registered handler (using worker).
+ */
+ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
+- struct brcmf_event *event_packet)
++ struct brcmf_event *event_packet,
++ u32 packet_len)
+ {
+ enum brcmf_fweh_event_code code;
+ struct brcmf_fweh_info *fweh = &drvr->fweh;
+@@ -459,6 +422,9 @@ void brcmf_fweh_process_event(struct brc
+ if (code != BRCMF_E_IF && !fweh->evt_handler[code])
+ return;
+
++ if (datalen > BRCMF_DCMD_MAXLEN)
++ return;
++
+ if (in_interrupt())
+ alloc_flag = GFP_ATOMIC;
+
+@@ -472,6 +438,7 @@ void brcmf_fweh_process_event(struct brc
+ /* use memcpy to get aligned event message */
+ memcpy(&event->emsg, &event_packet->msg, sizeof(event->emsg));
+ memcpy(event->data, data, datalen);
++ event->datalen = datalen;
+ memcpy(event->ifaddr, event_packet->eth.h_dest, ETH_ALEN);
+
+ brcmf_fweh_queue_event(fweh, event);
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/fweh.h
+@@ -27,7 +27,6 @@
+ struct brcmf_pub;
+ struct brcmf_if;
+ struct brcmf_cfg80211_info;
+-struct brcmf_event;
+
+ /* list of firmware events */
+ #define BRCMF_FWEH_EVENT_ENUM_DEFLIST \
+@@ -180,13 +179,55 @@ enum brcmf_fweh_event_code {
+ /**
+ * definitions for event packet validation.
+ */
+-#define BRCMF_EVENT_OUI_OFFSET 19
+-#define BRCM_OUI "\x00\x10\x18"
+-#define DOT11_OUI_LEN 3
+-#define BCMILCP_BCM_SUBTYPE_EVENT 1
++#define BRCM_OUI "\x00\x10\x18"
++#define BCMILCP_BCM_SUBTYPE_EVENT 1
+
+
+ /**
++ * struct brcm_ethhdr - broadcom specific ether header.
++ *
++ * @subtype: subtype for this packet.
++ * @length: TODO: length of appended data.
++ * @version: version indication.
++ * @oui: OUI of this packet.
++ * @usr_subtype: subtype for this OUI.
++ */
++struct brcm_ethhdr {
++ __be16 subtype;
++ __be16 length;
++ u8 version;
++ u8 oui[3];
++ __be16 usr_subtype;
++} __packed;
++
++struct brcmf_event_msg_be {
++ __be16 version;
++ __be16 flags;
++ __be32 event_type;
++ __be32 status;
++ __be32 reason;
++ __be32 auth_type;
++ __be32 datalen;
++ u8 addr[ETH_ALEN];
++ char ifname[IFNAMSIZ];
++ u8 ifidx;
++ u8 bsscfgidx;
++} __packed;
++
++/**
++ * struct brcmf_event - contents of broadcom event packet.
++ *
++ * @eth: standard ether header.
++ * @hdr: broadcom specific ether header.
++ * @msg: common part of the actual event message.
++ */
++struct brcmf_event {
++ struct ethhdr eth;
++ struct brcm_ethhdr hdr;
++ struct brcmf_event_msg_be msg;
++} __packed;
++
++/**
+ * struct brcmf_event_msg - firmware event message.
+ *
+ * @version: version information.
+@@ -256,34 +297,35 @@ void brcmf_fweh_unregister(struct brcmf_
+ enum brcmf_fweh_event_code code);
+ int brcmf_fweh_activate_events(struct brcmf_if *ifp);
+ void brcmf_fweh_process_event(struct brcmf_pub *drvr,
+- struct brcmf_event *event_packet);
++ struct brcmf_event *event_packet,
++ u32 packet_len);
+ void brcmf_fweh_p2pdev_setup(struct brcmf_if *ifp, bool ongoing);
+
+ static inline void brcmf_fweh_process_skb(struct brcmf_pub *drvr,
+ struct sk_buff *skb)
+ {
+ struct brcmf_event *event_packet;
+- u8 *data;
+ u16 usr_stype;
+
+ /* only process events when protocol matches */
+ if (skb->protocol != cpu_to_be16(ETH_P_LINK_CTL))
+ return;
+
++ if ((skb->len + ETH_HLEN) < sizeof(*event_packet))
++ return;
++
+ /* check for BRCM oui match */
+ event_packet = (struct brcmf_event *)skb_mac_header(skb);
+- data = (u8 *)event_packet;
+- data += BRCMF_EVENT_OUI_OFFSET;
+- if (memcmp(BRCM_OUI, data, DOT11_OUI_LEN))
++ if (memcmp(BRCM_OUI, &event_packet->hdr.oui[0],
++ sizeof(event_packet->hdr.oui)))
+ return;
+
+ /* final match on usr_subtype */
+- data += DOT11_OUI_LEN;
+- usr_stype = get_unaligned_be16(data);
++ usr_stype = get_unaligned_be16(&event_packet->hdr.usr_subtype);
+ if (usr_stype != BCMILCP_BCM_SUBTYPE_EVENT)
+ return;
+
+- brcmf_fweh_process_event(drvr, event_packet);
++ brcmf_fweh_process_event(drvr, event_packet, skb->len + ETH_HLEN);
+ }
+
+ #endif /* FWEH_H_ */
+--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
++++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c
+@@ -1361,6 +1361,11 @@ int brcmf_p2p_notify_action_frame_rx(str
+ u16 mgmt_type;
+ u8 action;
+
++ if (e->datalen < sizeof(*rxframe)) {
++ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
++ return 0;
++ }
++
+ ch.chspec = be16_to_cpu(rxframe->chanspec);
+ cfg->d11inf.decchspec(&ch);
+ /* Check if wpa_supplicant has registered for this frame */
+@@ -1858,6 +1863,11 @@ s32 brcmf_p2p_notify_rx_mgmt_p2p_probere
+ brcmf_dbg(INFO, "Enter: event %d reason %d\n", e->event_code,
+ e->reason);
+
++ if (e->datalen < sizeof(*rxframe)) {
++ brcmf_dbg(SCAN, "Event data to small. Ignore\n");
++ return 0;
++ }
++
+ ch.chspec = be16_to_cpu(rxframe->chanspec);
+ cfg->d11inf.decchspec(&ch);
+
projects / openwrt / svn-archive / archive.git / blobdiff