qcacld-2.0: Check on IE length to avoid buffer over-read

An incorrect IE length can overflow the remaining length variable
and make IE parsing logic perform a buffer over-read.
Check on IE length to avoid buffer over-read.

Bug: 63868629
Change-Id: I20ef6a0136c7a5b602ad15a2fb725f20807b81d0
CRs-Fixed: 2033195
Signed-off-by: Ecco Park <eccopark@google.com>
This commit is contained in:
google 2017-12-06 10:51:12 -08:00 committed by Nolen Johnson
parent 454df2f458
commit c58b4a7a63

View file

@ -5255,7 +5255,14 @@ int wlan_hdd_cfg80211_set_ie( hdd_adapter_t *pAdapter,
elementId = *genie++;
eLen = *genie++;
remLen -= 2;
/* Sanity check on eLen */
if (eLen > remLen) {
hddLog(VOS_TRACE_LEVEL_FATAL, "%s: Invalid IE length[%d] for IE[0x%X]",
__func__, eLen, elementId);
VOS_ASSERT(0);
return -EINVAL;
}
hddLog(VOS_TRACE_LEVEL_INFO, "%s: IE[0x%X], LEN[%d]\n",
__func__, elementId, eLen);