diff options
author | Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com> | 2023-02-08 16:18:57 +0900 |
---|---|---|
committer | chenpaul <chenpaul@google.com> | 2023-02-14 11:36:27 +0800 |
commit | 6bda8c521ec8dfe0811f98b3eb3eaa15e1fad34d (patch) | |
tree | 49c460422f03c8b77f0bacf459376d0320ba0e61 | |
parent | f89c00b4918cd4ac791e14abd3b0c6fa59396590 (diff) | |
download | wlan-6bda8c521ec8dfe0811f98b3eb3eaa15e1fad34d.tar.gz |
HAL: Fixed OOB read by assigning each param of Nancapabilities individually
NOTE: This is a fix for pa/2366563.
In pa/2366563, get_vendor_data_len() represents the size of
nan_hal_resp_t in the DHD not size of NanCapabilities.
It causes a crash issue again since memcpy's third argument
still represents 88 bytes which is defined in Legacy HAL.
(x2 register value - 0000000000000058)
Fixed it to assign each param individually instead of memcpy
regardless of framework NanCapabilities change.
Bug: 265225404
Test: BRCM halutil (brcm_halutil -nan -get_capabilities)
Change-Id: I7632d7f38f3c0a8ab2269b043eb77a17fb5100c8
Signed-off-by: Dennis Jeon <dennis.jeon@broadcom.corp-partner.google.com>
-rwxr-xr-x | bcmdhd/wifi_hal/nan.cpp | 22 |
1 files changed, 22 insertions, 0 deletions
diff --git a/bcmdhd/wifi_hal/nan.cpp b/bcmdhd/wifi_hal/nan.cpp index 5f2263d..c6a7249 100755 --- a/bcmdhd/wifi_hal/nan.cpp +++ b/bcmdhd/wifi_hal/nan.cpp @@ -1545,6 +1545,28 @@ class NanDiscEnginePrimitive : public WifiCommand } else if (rsp_data.response_type == NAN_GET_CAPABILITIES) { memcpy((void *)&rsp_data.body.nan_capabilities, (void *)&rsp_vndr_data->capabilities, min(len, sizeof(rsp_data.body.nan_capabilities))); + /* avoid memcpy to keep backward compatibility */ + NanCapabilities *desc = &rsp_data.body.nan_capabilities; + NanCapabilities *src = &rsp_vndr_data->capabilities; + + desc->max_publishes = src->max_publishes; + desc->max_subscribes = src->max_subscribes; + desc->max_ndi_interfaces = src->max_ndi_interfaces; + desc->max_ndp_sessions = src->max_ndp_sessions; + desc->max_concurrent_nan_clusters = src->max_concurrent_nan_clusters; + desc->max_service_name_len = src->max_service_name_len; + desc->max_match_filter_len = src->max_match_filter_len; + desc->max_total_match_filter_len = src->max_total_match_filter_len; + desc->max_service_specific_info_len = src->max_service_specific_info_len; + desc->max_app_info_len = src->max_app_info_len; + desc->max_sdea_service_specific_info_len = src->max_sdea_service_specific_info_len; + desc->max_queued_transmit_followup_msgs = src->max_queued_transmit_followup_msgs; + desc->max_subscribe_address = src->max_subscribe_address; + desc->is_ndp_security_supported = src->is_ndp_security_supported; + desc->ndp_supported_bands = src->ndp_supported_bands; + desc->cipher_suites_supported = src->cipher_suites_supported; + desc->is_instant_mode_supported = src->is_instant_mode_supported; + desc->ndpe_attr_supported = src->ndpe_attr_supported; } GET_NAN_HANDLE(info)->mHandlers.NotifyResponse(id(), &rsp_data); |