qcacld-2.0: Validate assoc response IE len before copy
Propagation from qcacld-3.0 to qcacld-2.0 When host sends ft assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Change-Id: I7f9998c4964bfb38a493d76954e00197aada1986 CRs-Fixed: 2616227
This commit is contained in:
parent
ecc036137e
commit
47e4e3d2af
|
@ -351,7 +351,7 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap
|
|||
unsigned int len = 0;
|
||||
u8 *pFTAssocRsp = NULL;
|
||||
|
||||
if (pCsrRoamInfo->nAssocRspLength == 0)
|
||||
if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET)
|
||||
{
|
||||
hddLog(LOGE,
|
||||
"%s: pCsrRoamInfo->nAssocRspLength=%d",
|
||||
|
@ -369,6 +369,17 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap
|
|||
|
||||
// pFTAssocRsp needs to point to the IEs
|
||||
pFTAssocRsp += FT_ASSOC_RSP_IES_OFFSET;
|
||||
|
||||
// Send the Assoc Resp, the supplicant needs this for initial Auth.
|
||||
len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
|
||||
if (len > IW_GENERIC_IE_MAX)
|
||||
{
|
||||
hddLog(LOGE, "%s: Invalid assoc response IEs length %d",
|
||||
__func__, len);
|
||||
return;
|
||||
}
|
||||
wrqu.data.length = len;
|
||||
|
||||
hddLog(LOG1, "%s: AssocRsp is now at %02x%02x", __func__,
|
||||
(unsigned int)pFTAssocRsp[0],
|
||||
(unsigned int)pFTAssocRsp[1]);
|
||||
|
@ -381,9 +392,6 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap
|
|||
return;
|
||||
}
|
||||
|
||||
// Send the Assoc Resp, the supplicant needs this for initial Auth.
|
||||
len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
|
||||
wrqu.data.length = len;
|
||||
memset(buff, 0, IW_GENERIC_IE_MAX);
|
||||
memcpy(buff, pFTAssocRsp, len);
|
||||
wireless_send_event(dev, IWEVASSOCRESPIE, &wrqu, buff);
|
||||
|
|
Loading…
Reference in New Issue