Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

qcacld-2.0: Validate assoc response IE len before copy 

Propagation from qcacld-3.0 to qcacld-2.0

When host sends ft assoc response to supplicant, it
allocates a buffer of fixed size and copies a variable
length of assoc response IEs to this fixed sized buffer.
There is a possibility of OOB write to the allocated buffer
if the assoc response IEs length is greater than the
allocated buffer size.

To avoid above issue validate the assoc response IEs length
with the allocated buffer size before data copy to the buffer.

Change-Id: I7f9998c4964bfb38a493d76954e00197aada1986
CRs-Fixed: 2616227
This commit is contained in:
Min Liu 2020-02-27 12:12:18 +08:00 committed by syphyr
parent ecc036137e
commit 47e4e3d2af
1 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
drivers/net/wireless/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c
View File

@ -351,7 +351,7 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap
unsigned int len = 0;
u8 *pFTAssocRsp = NULL;
if (pCsrRoamInfo->nAssocRspLength == 0)
if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET)
{
hddLog(LOGE,
"%s: pCsrRoamInfo->nAssocRspLength=%d",
@ -369,6 +369,17 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap
// pFTAssocRsp needs to point to the IEs
pFTAssocRsp += FT_ASSOC_RSP_IES_OFFSET;
// Send the Assoc Resp, the supplicant needs this for initial Auth.
len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
if (len > IW_GENERIC_IE_MAX)
{
hddLog(LOGE, "%s: Invalid assoc response IEs length %d",
__func__, len);
return;
}
wrqu.data.length = len;
hddLog(LOG1, "%s: AssocRsp is now at %02x%02x", __func__,
(unsigned int)pFTAssocRsp[0],
(unsigned int)pFTAssocRsp[1]);
@ -381,9 +392,6 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap
return;
}
// Send the Assoc Resp, the supplicant needs this for initial Auth.
len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
wrqu.data.length = len;
memset(buff, 0, IW_GENERIC_IE_MAX);
memcpy(buff, pFTAssocRsp, len);
wireless_send_event(dev, IWEVASSOCRESPIE, &wrqu, buff);