Accueil Explorer Aide
S'inscrire Connexion
wareck
/
openwrt_chaos_calmer
1
0
Fork 0
Fichiers Tickets 0 Pull Requests 0 Wiki
Branche: master
Branches Tags
openwrt_chaos_c...
/
package
/
kernel
/
mac80211
/
patches
/
351-0046-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch

351-0046-brcmfmac-fix-out-of-bound-access-on-clearing-wowl-wa.patch 1.9 KB
Lien permanent Historique Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344 
  1. From a7ed7828ecda0c2b5e0d7f55dedd4230afd4b583 Mon Sep 17 00:00:00 2001
    2. 

  2. From: Hante Meuleman <hante.meuleman@broadcom.com>
    3. 

  3. Date: Mon, 19 Sep 2016 12:09:58 +0100
    4. 

  4. Subject: [PATCH] brcmfmac: fix out of bound access on clearing wowl wake
    5. 

  5.  indicator
    6. 

  6. 

  7. Clearing the wowl wakeindicator happens with a rather odd
    8. 

  8. construction where the string "clear" is used to set the iovar
    9. 

  9. wowl_wakeind. This was implemented incorrectly as it caused an
    10. 

  10. out of bound access. Use an intermediate variable of correct
    11. 

  11. length and copy string in that. Problem was found using coverity.
    12. 

  12. 

  13. Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com>
    14. 

  14. Reviewed-by: Franky Lin <franky.lin@broadcom.com>
    15. 

  15. Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
    16. 

  16. Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com>
    17. 

  17. Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
    18. 

  18. Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
    19. 

  19. ---
    20. 

  20.  drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 6 ++++--
    21. 

  21.  1 file changed, 4 insertions(+), 2 deletions(-)
    22. 

  22. 

  23. --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
    24. 

  24. +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
    25. 

  25. @@ -3623,6 +3623,7 @@ static void brcmf_configure_wowl(struct
    26. 

  26.  				 struct cfg80211_wowlan *wowl)
    27. 

  27.  {
    28. 

  28.  	u32 wowl_config;
    29. 

  29. +	struct brcmf_wowl_wakeind_le wowl_wakeind;
    30. 

  30.  	u32 i;
    31. 

  31.  
    32. 

  32.  	brcmf_dbg(TRACE, "Suspend, wowl config.\n");
    33. 

  33. @@ -3664,8 +3665,9 @@ static void brcmf_configure_wowl(struct
    34. 

  34.  	if (!test_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state))
    35. 

  35.  		wowl_config |= BRCMF_WOWL_UNASSOC;
    36. 

  36.  
    37. 

  37. -	brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", "clear",
    38. 

  38. -				 sizeof(struct brcmf_wowl_wakeind_le));
    39. 

  39. +	memcpy(&wowl_wakeind, "clear", 6);
    40. 

  40. +	brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", &wowl_wakeind,
    41. 

  41. +				 sizeof(wowl_wakeind));
    42. 

  42.  	brcmf_fil_iovar_int_set(ifp, "wowl", wowl_config);
    43. 

  43.  	brcmf_fil_iovar_int_set(ifp, "wowl_activate", 1);
    44. 

  44.  	brcmf_bus_wowl_config(cfg->pub->bus_if, true);
    45.