qcacld-2.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen is user-controllable and never validates which uses as the length for a memory copy. This enables user-space applications to corrupt heap memory and potentially crash the kernel. Fix is to validate the WPARSNIes length to its max before use as the length for a memory copy. CAF-Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68 CRs-Fixed: 1102648 CVE-2017-6424 Change-Id: Ia3ac5038e51d1548627afe6685c82cf0fd850f08 (cherry picked from commit 5cc2ac840e36a3342c5194c20b314f0bb95ef7e1)
This commit is contained in:
parent
b795395fc0
commit
ea07d83cea
|
@ -5501,6 +5501,13 @@ static int __iw_set_ap_genie(struct net_device *dev,
|
|||
return 0;
|
||||
}
|
||||
|
||||
if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
|
||||
VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
|
||||
"%s: WPARSN Ie input length is more than max[%d]", __func__,
|
||||
wrqu->data.length);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
switch (genie[0])
|
||||
{
|
||||
case DOT11F_EID_WPA:
|
||||
|
|
Loading…
Reference in New Issue