mirror of
https://github.com/followmsi/android_kernel_google_msm.git
synced 2024-11-06 23:17:41 +00:00
qcacld-2.0: Check on IE length to avoid buffer over-read
An incorrect IE length can overflow the remaining length variable and make IE parsing logic perform a buffer over-read. Check on IE length to avoid buffer over-read. Bug: 63868629 Change-Id: I20ef6a0136c7a5b602ad15a2fb725f20807b81d0 CRs-Fixed: 2033195 Signed-off-by: Ecco Park <eccopark@google.com>
This commit is contained in:
parent
454df2f458
commit
c58b4a7a63
1 changed files with 8 additions and 1 deletions
|
@ -5255,7 +5255,14 @@ int wlan_hdd_cfg80211_set_ie( hdd_adapter_t *pAdapter,
|
|||
elementId = *genie++;
|
||||
eLen = *genie++;
|
||||
remLen -= 2;
|
||||
|
||||
|
||||
/* Sanity check on eLen */
|
||||
if (eLen > remLen) {
|
||||
hddLog(VOS_TRACE_LEVEL_FATAL, "%s: Invalid IE length[%d] for IE[0x%X]",
|
||||
__func__, eLen, elementId);
|
||||
VOS_ASSERT(0);
|
||||
return -EINVAL;
|
||||
}
|
||||
hddLog(VOS_TRACE_LEVEL_INFO, "%s: IE[0x%X], LEN[%d]\n",
|
||||
__func__, elementId, eLen);
|
||||
|
||||
|
|
Loading…
Reference in a new issue