From 47e4e3d2af888109411a51e4ca3ec98062724d90 Mon Sep 17 00:00:00 2001 From: Min Liu Date: Thu, 27 Feb 2020 12:12:18 +0800 Subject: [PATCH] qcacld-2.0: Validate assoc response IE len before copy Propagation from qcacld-3.0 to qcacld-2.0 When host sends ft assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Change-Id: I7f9998c4964bfb38a493d76954e00197aada1986 CRs-Fixed: 2616227 --- .../qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/drivers/net/wireless/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c b/drivers/net/wireless/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c index f5e75c7af036..7dc549c5136a 100644 --- a/drivers/net/wireless/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c +++ b/drivers/net/wireless/qcacld-2.0/CORE/HDD/src/wlan_hdd_assoc.c @@ -351,7 +351,7 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap unsigned int len = 0; u8 *pFTAssocRsp = NULL; - if (pCsrRoamInfo->nAssocRspLength == 0) + if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) { hddLog(LOGE, "%s: pCsrRoamInfo->nAssocRspLength=%d", @@ -369,6 +369,17 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap // pFTAssocRsp needs to point to the IEs pFTAssocRsp += FT_ASSOC_RSP_IES_OFFSET; + + // Send the Assoc Resp, the supplicant needs this for initial Auth. + len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; + if (len > IW_GENERIC_IE_MAX) + { + hddLog(LOGE, "%s: Invalid assoc response IEs length %d", + __func__, len); + return; + } + wrqu.data.length = len; + hddLog(LOG1, "%s: AssocRsp is now at %02x%02x", __func__, (unsigned int)pFTAssocRsp[0], (unsigned int)pFTAssocRsp[1]); @@ -381,9 +392,6 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap return; } - // Send the Assoc Resp, the supplicant needs this for initial Auth. - len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; - wrqu.data.length = len; memset(buff, 0, IW_GENERIC_IE_MAX); memcpy(buff, pFTAssocRsp, len); wireless_send_event(dev, IWEVASSOCRESPIE, &wrqu, buff);