Piteball
/
android_kernel_samsung_msm8976
mirror of https://github.com/team-infusion-developers/android_kernel_samsung_msm8976.git
1
1
Fork 0
Code Issues Projects Releases Wiki Activity

qcacld-2.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes() 

Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
is user-controllable and never validates which uses as the length
for a memory copy. This enables user-space applications to corrupt
heap memory and potentially crash the kernel.

Fix is to validate the WPARSNIes length to its max before use as the
length for a memory copy.

CAF-Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
CRs-Fixed: 1102648

CVE-2017-6424

Change-Id: Ia3ac5038e51d1548627afe6685c82cf0fd850f08
(cherry picked from commit 5cc2ac840e36a3342c5194c20b314f0bb95ef7e1)
This commit is contained in:
Nishank Aggarwal 2017-01-12 14:32:02 +05:30 committed by LuK1337
parent b795395fc0
commit ea07d83cea
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
drivers/net/wireless/qcacld-2.0/CORE/HDD/src/wlan_hdd_hostapd.c
View File

@ -5501,6 +5501,13 @@ static int __iw_set_ap_genie(struct net_device *dev,
return 0;
}
if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
"%s: WPARSN Ie input length is more than max[%d]", __func__,
wrqu->data.length);
return -EINVAL;
}
switch (genie[0])
{
case DOT11F_EID_WPA: