OpenCloudOS-Kernel/drivers/net/wireless/broadcom/brcm80211/brcmfmac
Dan Carpenter e025da3d7a brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
If "ret_len" is negative then it could lead to a NULL dereference.

The "ret_len" value comes from nl80211_vendor_cmd(), if it's negative
then we don't allocate the "dcmd_buf" buffer.  Then we pass "ret_len" to
brcmf_fil_cmd_data_set() where it is cast to a very high u32 value.
Most of the functions in that call tree check whether the buffer we pass
is NULL but there are at least a couple places which don't such as
brcmf_dbg_hex_dump() and brcmf_msgbuf_query_dcmd().  We memcpy() to and
from the buffer so it would result in a NULL dereference.

The fix is to change the types so that "ret_len" can't be negative.  (If
we memcpy() zero bytes to NULL, that's a no-op and doesn't cause an
issue).

Fixes: 1bacb0487d ("brcmfmac: replace cfg80211 testmode with vendor command")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-05-01 18:25:09 +03:00
..
Makefile wireless: prefix header search paths with $(srctree)/ 2019-02-01 14:42:25 +02:00
bcdc.c brcmfmac: fix NULL pointer derefence during USB disconnect 2019-04-04 13:10:19 +03:00
bcdc.h brcmfmac: fix NULL pointer derefence during USB disconnect 2019-04-04 13:10:19 +03:00
bcmsdh.c brcmfmac: fix leak of mypkt on error return path 2019-04-13 14:07:09 +03:00
btcoex.c brcmfmac: allocate struct brcmf_pub instance using wiphy_new() 2018-03-27 12:04:22 +03:00
btcoex.h
bus.h brcmfmac: reset PCIe bus on a firmware crash 2019-04-04 13:00:13 +03:00
cfg80211.c brcmfmac: fix missing checks for kmemdup 2019-04-04 13:13:16 +03:00
cfg80211.h brcmfmac: fix roamoff=1 modparam 2018-12-20 08:47:53 +02:00
chip.c brcmfmac: 4373 save-restore support 2018-12-13 16:57:26 +02:00
chip.h brcmfmac: use brcmf_chip_name() to store name in revinfo 2018-03-27 12:04:21 +03:00
common.c brcmfmac: use bphy_err() in all wiphy-related code 2019-02-20 19:54:17 +02:00
common.h brcmfmac: Set board_type from DMI on x86 based machines 2018-11-06 18:50:17 +02:00
commonring.c
commonring.h
core.c brcmfmac: fix Oops when bringing up interface during USB disconnect 2019-04-04 13:11:37 +03:00
core.h brcmfmac: reset PCIe bus on a firmware crash 2019-04-04 13:00:13 +03:00
debug.c brcmfmac: validate user provided data for memdump before copying 2018-05-23 18:51:56 +03:00
debug.h brcmfmac: rework bphy_err() to take struct brcmf_pub argument 2019-02-19 17:07:13 +02:00
dmi.c brcmfmac: Add DMI nvram filename quirk for ACEPC T8 and T11 mini PCs 2019-04-25 19:57:44 +03:00
feature.c brcmfmac: use bphy_err() in all wiphy-related code 2019-02-20 19:54:17 +02:00
feature.h brcmfmac: support monitor frames with the hardware/ucode header 2019-02-08 17:27:26 +02:00
firmware.c brcmfmac: Use struct_size() in kzalloc() 2019-04-13 13:58:36 +03:00
firmware.h brcmfmac: Add support for first trying to get a board specific nvram file 2018-11-06 18:50:15 +02:00
flowring.c brcmfmac: move ALLFFMAC variable in flowring module 2018-05-23 18:51:47 +03:00
flowring.h brcmfmac: Increase nr of supported flowrings. 2016-02-25 11:59:22 +02:00
fweh.c brcmfmac: use bphy_err() in all wiphy-related code 2019-02-20 19:54:17 +02:00
fweh.h brcmfmac: add subtype check for event handling in data path 2019-02-19 17:04:40 +02:00
fwil.c brcmfmac: use bphy_err() in all wiphy-related code 2019-02-20 19:54:17 +02:00
fwil.h brcmfmac: enable frameburst mode in default firmware setting 2018-12-13 16:56:24 +02:00
fwil_types.h brcmfmac: support STA info struct v7 2018-11-29 17:31:52 +02:00
fwsignal.c brcmfmac: fix NULL pointer derefence during USB disconnect 2019-04-04 13:10:19 +03:00
fwsignal.h brcmfmac: fix NULL pointer derefence during USB disconnect 2019-04-04 13:10:19 +03:00
msgbuf.c brcmfmac: print firmware reported general status errors 2019-02-28 10:27:59 +02:00
msgbuf.h brcmfmac: coarse support for PCIe shared structure rev7 2018-04-30 13:43:17 +03:00
of.c brcmfmac: Set board_type used for nvram file selection to machine-compatible 2018-11-06 18:50:16 +02:00
of.h brcmfmac: make brcmf_of_probe more generic 2017-01-19 14:45:13 +02:00
p2p.c brcmfmac: use bphy_err() in all wiphy-related code 2019-02-20 19:54:17 +02:00
p2p.h brcmfmac: fix full timeout waiting for action frame on-channel tx 2018-10-05 11:29:42 +03:00
pcie.c brcmfmac: send mailbox interrupt twice for specific hardware device 2019-04-26 15:00:53 +03:00
pcie.h
pno.c brcmfmac: use bphy_err() in all wiphy-related code 2019-02-20 19:54:17 +02:00
pno.h brcmfmac: add support multi-scheduled scan 2017-06-13 09:57:49 +03:00
proto.c brcmfmac: fix NULL pointer derefence during USB disconnect 2019-04-04 13:10:19 +03:00
proto.h brcmfmac: fix NULL pointer derefence during USB disconnect 2019-04-04 13:10:19 +03:00
sdio.c brcmfmac: Loading the correct firmware for brcm43456 2019-04-13 14:04:44 +03:00
sdio.h brcmfmac: set SDIO F1 MesBusyCtrl for CYW4373 2018-12-13 16:57:14 +02:00
tracepoint.c brcmfmac: modify __brcmf_err() to take bus as a parameter 2019-02-08 17:22:47 +02:00
tracepoint.h
usb.c brcmfmac: convert dev_init_lock mutex to completion 2019-04-04 13:12:06 +03:00
usb.h
vendor.c brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() 2019-05-01 18:25:09 +03:00
vendor.h