summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CORE/HDD/src/wlan_hdd_assoc.c11
1 files changed, 8 insertions, 3 deletions
diff --git a/CORE/HDD/src/wlan_hdd_assoc.c b/CORE/HDD/src/wlan_hdd_assoc.c
index 12d24d7..7c9369f 100644
--- a/CORE/HDD/src/wlan_hdd_assoc.c
+++ b/CORE/HDD/src/wlan_hdd_assoc.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -2194,8 +2194,9 @@ static void hdd_SendReAssocEvent(struct net_device *dev,
goto done;
}
- if (pCsrRoamInfo->nAssocRspLength == 0) {
- hddLog(LOGE, FL("Invalid assoc response length"));
+ if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) {
+ hddLog(LOGE, FL("Invalid assoc response length %d"),
+ pCsrRoamInfo->nAssocRspLength);
goto done;
}
@@ -2220,6 +2221,10 @@ static void hdd_SendReAssocEvent(struct net_device *dev,
/* Send the Assoc Resp, the supplicant needs this for initial Auth */
len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
+ if (len > IW_GENERIC_IE_MAX) {
+ hddLog(LOGE, FL("Invalid Assoc resp length %d"), len);
+ goto done;
+ }
rspRsnLength = len;
memcpy(rspRsnIe, pFTAssocRsp, len);
memset(rspRsnIe + len, 0, IW_GENERIC_IE_MAX - len);