prima: Avoid possible stack overflow in hdd_ProcessGENIE API

There is no check for the return value of dot11fUnpackIeRSN API in hdd_ProcessGENIE API, which may cause stack overflow if pmkid_count is returned as more than the PMKIDCache size. Add a check for return value of dot11fUnpackIeRSN to avoid possible stack overflow. Change-Id: I56424c706de121b18b8d3f2c4a35089ec0434452 CRs-Fixed: 2149187
2024-11-06 23:17:41 +00:00 · 2017-11-29 14:04:38 +05:30 · 2017-11-29 14:04:38 +05:30 · 4f0971198b
commit 4f0971198b
parent 4535be1ba3
1 changed files with 23 additions and 15 deletions
--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c
+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c
@ -2600,6 +2600,7 @@ static tANI_S32 hdd_ProcessGENIE(hdd_adapter_t *pAdapter,
    tDot11fIERSN dot11RSNIE;
    tDot11fIEWPA dot11WPAIE;
    tANI_U32 i;
+    tANI_U32 status;
    tANI_U8 *pRsnIe;
    tANI_U16 RSNIeLen;
    tPmkidCacheInfo PMKIDCache[4]; // Local transfer memory
@ -2626,10 +2627,17 @@ static tANI_S32 hdd_ProcessGENIE(hdd_adapter_t *pAdapter,
        pRsnIe = gen_ie + 2;
        RSNIeLen = gen_ie_len - 2;
        // Unpack the RSN IE
-        dot11fUnpackIeRSN((tpAniSirGlobal) halHandle, 
+        status = dot11fUnpackIeRSN((tpAniSirGlobal) halHandle,
                            pRsnIe,
                            RSNIeLen,
                            &dot11RSNIE);
+        if (DOT11F_FAILED(status))
+        {
+            hddLog(LOGE,
+                       FL("Parse failure in hdd_ProcessGENIE (0x%08x)"),
+                       status);
+            return -EINVAL;
+        }
        // Copy out the encryption and authentication types
        hddLog(LOG1, FL("%s: pairwise cipher suite count: %d"),
                __func__, dot11RSNIE.pwise_cipher_suite_count );