DroidSec: function iw_set_pno where sscanf return is not checked (623f659d) · Commits · e / devices / android_kernel_fairphone_FP3

CORE/HDD/src/wlan_hdd_wext.c

+66 −30

Original line number	Original line	Diff line number	Diff line
	@@ -6417,7 +6417,12 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,
	-----------------------------------------------------------------------*/		-----------------------------------------------------------------------*/
	ptr = (char*)(wrqu->data.pointer + nOffset);		ptr = (char*)(wrqu->data.pointer + nOffset);

	sscanf(ptr,"%hhu%n", &(pnoRequest.enable), &nOffset);		if (1 != sscanf(ptr,"%hhu%n", &(pnoRequest.enable), &nOffset))
			{
			VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
			"PNO enable input is not valid %s",ptr);
			return VOS_STATUS_E_FAILURE;
			}

	if ( 0 == pnoRequest.enable )		if ( 0 == pnoRequest.enable )
	{		{
	@@ -6430,7 +6435,14 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,
	}		}

	ptr += nOffset;		ptr += nOffset;
	sscanf(ptr,"%hhu %n", &(pnoRequest.ucNetworksCount), &nOffset);
			if (1 != sscanf(ptr,"%hhu %n", &(pnoRequest.ucNetworksCount), &nOffset))
			{
			VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
			"PNO count input not valid %s",ptr);
			return VOS_STATUS_E_FAILURE;

			}

	VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,		VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
	"PNO enable %d networks count %d offset %d",		"PNO enable %d networks count %d offset %d",
	@@ -6454,9 +6466,16 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,

	pnoRequest.aNetworks[i].ssId.length = 0;		pnoRequest.aNetworks[i].ssId.length = 0;

	sscanf(ptr,"%hhu %n",		ucParams = sscanf(ptr,"%hhu %n",
	&(pnoRequest.aNetworks[i].ssId.length),&nOffset);		&(pnoRequest.aNetworks[i].ssId.length),&nOffset);

			if (1 != ucParams)
			{
			VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
			"PNO ssid length input is not valid %s",ptr);
			return VOS_STATUS_E_FAILURE;
			}

	if (( 0 == pnoRequest.aNetworks[i].ssId.length ) \|\|		if (( 0 == pnoRequest.aNetworks[i].ssId.length ) \|\|
	( pnoRequest.aNetworks[i].ssId.length > 32 ) )		( pnoRequest.aNetworks[i].ssId.length > 32 ) )
	{		{
	@@ -6479,6 +6498,13 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,
	&(pnoRequest.aNetworks[i].ucChannelCount),		&(pnoRequest.aNetworks[i].ucChannelCount),
	&nOffset);		&nOffset);

			if ( 3 != ucParams )
			{
			VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_WARN,
			"Incorrect cmd %s",ptr);
			return VOS_STATUS_E_FAILURE;
			}

	VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,		VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
	"PNO len %d ssid 0x%08lx%08lx%08lx%08lx%08lx%08lx%08lx%08lx"		"PNO len %d ssid 0x%08lx%08lx%08lx%08lx%08lx%08lx%08lx%08lx"
	"auth %d encry %d channel count %d offset %d",		"auth %d encry %d channel count %d offset %d",
	@@ -6496,13 +6522,6 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,
	pnoRequest.aNetworks[i].ucChannelCount,		pnoRequest.aNetworks[i].ucChannelCount,
	nOffset );		nOffset );

	if ( 3 != ucParams )
	{
	VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_WARN,
	"Incorrect cmd");
	return VOS_STATUS_E_FAILURE;
	}

	/Advance to channel list/		/Advance to channel list/
	ptr += nOffset;		ptr += nOffset;

	@@ -6517,15 +6536,26 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,
	{		{
	for ( j = 0; j < pnoRequest.aNetworks[i].ucChannelCount; j++)		for ( j = 0; j < pnoRequest.aNetworks[i].ucChannelCount; j++)
	{		{
	sscanf(ptr,"%hhu %n",		if (1 != sscanf(ptr,"%hhu %n",
	&(pnoRequest.aNetworks[i].aChannels[j]), &nOffset);		&(pnoRequest.aNetworks[i].aChannels[j]),
			&nOffset))
			{ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
			"PNO network channel input is not valid %s",ptr);
			return VOS_STATUS_E_FAILURE;
			}
	/Advance to next channel number/		/Advance to next channel number/
	ptr += nOffset;		ptr += nOffset;
	}		}
	}		}

	sscanf(ptr,"%lu %n",		if (1 != sscanf(ptr,"%lu %n",
	&(pnoRequest.aNetworks[i].bcastNetwType), &nOffset);		&(pnoRequest.aNetworks[i].bcastNetwType),
			&nOffset))
			{
			VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
			"PNO broadcast network type input is not valid %s",ptr);
			return VOS_STATUS_E_FAILURE;
			}

	VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,		VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
	"PNO bcastNetwType %d offset %d",		"PNO bcastNetwType %d offset %d",
	@@ -6535,8 +6565,14 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,
	/Advance to rssi Threshold/		/Advance to rssi Threshold/
	ptr += nOffset;		ptr += nOffset;

	sscanf(ptr,"%hhu %n",		if (1 != sscanf(ptr,"%hhu %n",
	&(pnoRequest.aNetworks[i].rssiThreshold), &nOffset);		&(pnoRequest.aNetworks[i].rssiThreshold),
			&nOffset))
			{
			VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
			"PNO rssi threshold input is not valid %s",ptr);
			return VOS_STATUS_E_FAILURE;
			}

	VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,		VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
	"PNO rssi %d offset %d",		"PNO rssi %d offset %d",
	@@ -6547,7 +6583,8 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,
	}/For ucNetworkCount/		}/For ucNetworkCount/

	ucParams = sscanf(ptr,"%hhu %n",		ucParams = sscanf(ptr,"%hhu %n",
	&(pnoRequest.scanTimers.ucScanTimersCount), &nOffset);		&(pnoRequest.scanTimers.ucScanTimersCount),
			&nOffset);

	/Read the scan timers/		/Read the scan timers/
	if (( 1 == ucParams ) && ( pnoRequest.scanTimers.ucScanTimersCount > 0 ))		if (( 1 == ucParams ) && ( pnoRequest.scanTimers.ucScanTimersCount > 0 ))
	@@ -6573,12 +6610,6 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,
	&( pnoRequest.scanTimers.aTimerValues[i].uTimerRepeat),		&( pnoRequest.scanTimers.aTimerValues[i].uTimerRepeat),
	&nOffset);		&nOffset);

	VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
	"PNO Timer value %d Timer repeat %d offset %d",
	pnoRequest.scanTimers.aTimerValues[i].uTimerValue,
	pnoRequest.scanTimers.aTimerValues[i].uTimerRepeat,
	nOffset );

	if (2 != ucParams)		if (2 != ucParams)
	{		{
	VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,		VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
	@@ -6586,6 +6617,12 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,
	return VOS_STATUS_E_FAILURE;		return VOS_STATUS_E_FAILURE;
	}		}

			VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO,
			"PNO Timer value %d Timer repeat %d offset %d",
			pnoRequest.scanTimers.aTimerValues[i].uTimerValue,
			pnoRequest.scanTimers.aTimerValues[i].uTimerRepeat,
			nOffset );

	ptr += nOffset;		ptr += nOffset;
	}		}

	@@ -6602,8 +6639,7 @@ VOS_STATUS iw_set_pno(struct net_device dev, struct iw_request_info info,
	pnoRequest.scanTimers.aTimerValues[0].uTimerRepeat = 0;		pnoRequest.scanTimers.aTimerValues[0].uTimerRepeat = 0;
	}		}

	ucParams = sscanf(ptr,"%hhu %n",		ucParams = sscanf(ptr,"%hhu %n",&(ucMode), &nOffset);
	&(ucMode), &nOffset);

	pnoRequest.modePNO = ucMode;		pnoRequest.modePNO = ucMode;
	/for LA we just expose suspend option/		/for LA we just expose suspend option/