summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJingxiang Ge <jge@codeaurora.org>2020-02-24 13:17:51 +0800
committerJingxiang Ge <jge@codeaurora.org>2020-02-24 13:41:24 +0800
commit2bac56bde01272efe04ed2ed1ee9d98869488dcd (patch)
tree09c2e6a39a21a3eee6ad87b12090c89c5cf63f62
parent024ffb0fb08ae2fb4bf9d8d1c5086a62954a8d63 (diff)
qcacld-2.0: Validate assoc response IE len before copy
Propagate from qcacld3.0 to qcacld2.0 When host sends assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Change-ID: Ib12385e9ff04e5172ae8b505faf959e426fda439 CRs-Fixed: 2616229
-rw-r--r--CORE/HDD/src/wlan_hdd_assoc.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/CORE/HDD/src/wlan_hdd_assoc.c b/CORE/HDD/src/wlan_hdd_assoc.c
index 12d24d7..7c9369f 100644
--- a/CORE/HDD/src/wlan_hdd_assoc.c
+++ b/CORE/HDD/src/wlan_hdd_assoc.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -2194,8 +2194,9 @@ static void hdd_SendReAssocEvent(struct net_device *dev,
goto done;
}
- if (pCsrRoamInfo->nAssocRspLength == 0) {
- hddLog(LOGE, FL("Invalid assoc response length"));
+ if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) {
+ hddLog(LOGE, FL("Invalid assoc response length %d"),
+ pCsrRoamInfo->nAssocRspLength);
goto done;
}
@@ -2220,6 +2221,10 @@ static void hdd_SendReAssocEvent(struct net_device *dev,
/* Send the Assoc Resp, the supplicant needs this for initial Auth */
len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
+ if (len > IW_GENERIC_IE_MAX) {
+ hddLog(LOGE, FL("Invalid Assoc resp length %d"), len);
+ goto done;
+ }
rspRsnLength = len;
memcpy(rspRsnIe, pFTAssocRsp, len);
memset(rspRsnIe + len, 0, IW_GENERIC_IE_MAX - len);