forked from ~ljy/RK356X_SDK_RELEASE

blame | history | patch | commit | commitdiff
hc
2024-01-03 2f7c68cb55ecb7331f2381deb497c27155f32faf 
 kernel/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
....@@ -90,6 +90,9 @@
9090 #define BRCMF_ASSOC_PARAMS_FIXED_SIZE \
9191 	(sizeof(struct brcmf_assoc_params_le) - sizeof(u16))
9292 
93
+#define BRCMF_MAX_CHANSPEC_LIST \
94
+	(BRCMF_DCMD_MEDLEN / sizeof(__le32) - 1)
95
+
9396 static bool check_vif_up(struct brcmf_cfg80211_vif *vif)
9497 {
9598 	if (!test_bit(BRCMF_VIF_STATUS_READY, &vif->sme_state)) {
....@@ -1347,13 +1350,14 @@
13471350 {
13481351 	struct brcmf_pub *drvr = ifp->drvr;
13491352 	struct brcmf_wsec_pmk_le pmk;
1350
-	int i, err;
1353
+	int err;
13511354 
1352
-	/* convert to firmware key format */
1353
-	pmk.key_len = cpu_to_le16(pmk_len << 1);
1354
-	pmk.flags = cpu_to_le16(BRCMF_WSEC_PASSPHRASE);
1355
-	for (i = 0; i < pmk_len; i++)
1356
-		snprintf(&pmk.key[2 * i], 3, "%02x", pmk_data[i]);
1355
+	memset(&pmk, 0, sizeof(pmk));
1356
+
1357
+	/* pass pmk directly */
1358
+	pmk.key_len = cpu_to_le16(pmk_len);
1359
+	pmk.flags = cpu_to_le16(0);
1360
+	memcpy(pmk.key, pmk_data, pmk_len);
13571361 
13581362 	/* store psk in firmware */
13591363 	err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_WSEC_PMK,
....@@ -5831,6 +5835,11 @@
58315835 		(struct brcmf_cfg80211_assoc_ielen_le *)cfg->extra_buf;
58325836 	req_len = le32_to_cpu(assoc_info->req_len);
58335837 	resp_len = le32_to_cpu(assoc_info->resp_len);
5838
+	if (req_len > WL_EXTRA_BUF_MAX || resp_len > WL_EXTRA_BUF_MAX) {
5839
+		bphy_err(drvr, "invalid lengths in assoc info: req %u resp %u\n",
5840
+			 req_len, resp_len);
5841
+		return -EINVAL;
5842
+	}
58345843 	if (req_len) {
58355844 		err = brcmf_fil_iovar_data_get(ifp, "assoc_req_ies",
58365845 					       cfg->extra_buf,
....@@ -6459,6 +6468,13 @@
64596468 			band->channels[i].flags = IEEE80211_CHAN_DISABLED;
64606469 
64616470 	total = le32_to_cpu(list->count);
6471
+	if (total > BRCMF_MAX_CHANSPEC_LIST) {
6472
+		bphy_err(drvr, "Invalid count of channel Spec. (%u)\n",
6473
+			 total);
6474
+		err = -EINVAL;
6475
+		goto fail_pbuf;
6476
+	}
6477
+
64626478 	for (i = 0; i < total; i++) {
64636479 		ch.chspec = (u16)le32_to_cpu(list->element[i]);
64646480 		cfg->d11inf.decchspec(&ch);
....@@ -6604,6 +6620,13 @@
66046620 		band = cfg_to_wiphy(cfg)->bands[NL80211_BAND_2GHZ];
66056621 		list = (struct brcmf_chanspec_list *)pbuf;
66066622 		num_chan = le32_to_cpu(list->count);
6623
+		if (num_chan > BRCMF_MAX_CHANSPEC_LIST) {
6624
+			bphy_err(drvr, "Invalid count of channel Spec. (%u)\n",
6625
+				 num_chan);
6626
+			kfree(pbuf);
6627
+			return -EINVAL;
6628
+		}
6629
+
66076630 		for (i = 0; i < num_chan; i++) {
66086631 			ch.chspec = (u16)le32_to_cpu(list->element[i]);
66096632 			cfg->d11inf.decchspec(&ch);