Piteball
/
android_kernel_google_msm
mirror of https://github.com/followmsi/android_kernel_google_msm.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

qcacld-2.0: Add maximum bound check on WPA RSN IE length 

WPA RSN IE is copied from source without a check on the given IE length.
A malicious IE length can cause buffer overflow.
Add maximum bound check on WPA RSN IE length.

Change-Id: Id159d307e8f9c1de720d4553a7c29f23cbd28571
CRs-Fixed: 2033213
This commit is contained in:
google 2017-12-22 19:42:25 -08:00 committed by Nolen Johnson
parent 87d7ec3737
commit e468a98c08
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c
View File

@ -5298,6 +5298,13 @@ int wlan_hdd_cfg80211_set_ie( hdd_adapter_t *pAdapter,
}
else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3))
{
if (eLen > (MAX_WPA_RSN_IE_LEN - 2)) {
hddLog(VOS_TRACE_LEVEL_FATAL, "%s: Invalid WPA RSN IE length[%d], exceeds %d bytes",
__func__, eLen, MAX_WPA_RSN_IE_LEN - 2);
VOS_ASSERT(0);
return -EINVAL;
}
hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2);
memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2) /*ie_len*/);