Merge "qcacld-2.0: Check on IE length to avoid buffer over-read" into wlan-cld2.driver.lnx.1.0-dev

author: CNSS_WLAN Service <cnssbldsw@qualcomm.com> 2017-06-06 03:37:35 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-06-06 03:37:35 -0700
commit: 03ce5fd7eb7abeccf9982eaa76a3027cd4c9a6ee (patch)
tree: 05f51803a1ec1152857746d00c0f0edd63e7ec2c
parent: 21850677ce010c763ff05c7817dc16faafb7a124 (diff)
parent: b1d0e250717fc4d8b7c45cef036ea9d16293c616 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 9d18fd3728f2..71fd03b45b28 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -22128,6 +22128,13 @@ int wlan_hdd_cfg80211_set_ie(hdd_adapter_t *pAdapter,
         eLen  = *genie++;
         remLen -= 2;
 
+        /* Sanity check on eLen */
+        if (eLen > remLen) {
+            hddLog(VOS_TRACE_LEVEL_FATAL, "%s: Invalid IE length[%d] for IE[0x%X]",
+                    __func__, eLen, elementId);
+            VOS_ASSERT(0);
+            return -EINVAL;
+        }
         hddLog(VOS_TRACE_LEVEL_INFO, "%s: IE[0x%X], LEN[%d]",
             __func__, elementId, eLen);
author	CNSS_WLAN Service <cnssbldsw@qualcomm.com>	2017-06-06 03:37:35 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-06-06 03:37:35 -0700
commit	03ce5fd7eb7abeccf9982eaa76a3027cd4c9a6ee (patch)
tree	05f51803a1ec1152857746d00c0f0edd63e7ec2c
parent	21850677ce010c763ff05c7817dc16faafb7a124 (diff)
parent	b1d0e250717fc4d8b7c45cef036ea9d16293c616 (diff)