author | 2020-02-24 13:17:51 +0800 | |
---|---|---|
committer | 2020-02-24 13:41:24 +0800 | |
commit | 2bac56bde01272efe04ed2ed1ee9d98869488dcd (patch) | |
tree | 09c2e6a39a21a3eee6ad87b12090c89c5cf63f62 | |
parent | 024ffb0fb08ae2fb4bf9d8d1c5086a62954a8d63 (diff) |
-rw-r--r-- | CORE/HDD/src/wlan_hdd_assoc.c | 11 |
diff --git a/CORE/HDD/src/wlan_hdd_assoc.c b/CORE/HDD/src/wlan_hdd_assoc.c index 12d24d7..7c9369f 100644 --- a/CORE/HDD/src/wlan_hdd_assoc.c +++ b/CORE/HDD/src/wlan_hdd_assoc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -2194,8 +2194,9 @@ static void hdd_SendReAssocEvent(struct net_device *dev, goto done; } - if (pCsrRoamInfo->nAssocRspLength == 0) { - hddLog(LOGE, FL("Invalid assoc response length")); + if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) { + hddLog(LOGE, FL("Invalid assoc response length %d"), + pCsrRoamInfo->nAssocRspLength); goto done; } @@ -2220,6 +2221,10 @@ static void hdd_SendReAssocEvent(struct net_device *dev, /* Send the Assoc Resp, the supplicant needs this for initial Auth */ len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; + if (len > IW_GENERIC_IE_MAX) { + hddLog(LOGE, FL("Invalid Assoc resp length %d"), len); + goto done; + } rspRsnLength = len; memcpy(rspRsnIe, pFTAssocRsp, len); memset(rspRsnIe + len, 0, IW_GENERIC_IE_MAX - len); |