qcacld-3.0: Fix OOB access in __iw_set_essid()

In function __iw_set_scan(), copying data to addIEdata buffer without checking the length of source buffer. which may lead to out of buffer access. To address OOB access, check genIE length against SIR_MAC_MAX_ADD_IE_LENGTH + 2 Change-Id: I94d7ccff8e3753063d7f4c1fb62343abcd461aa8 CRs-Fixed: 2260110
author: Sourav Mohapatra <mohapatr@codeaurora.org> 2018-06-19 09:41:16 +0530
committer: nshrivas <nshrivas@codeaurora.org> 2018-07-03 01:12:48 -0700
commit: 1bfebea416681acdf3bedbf48d2059aed666817a (patch)
tree: 845037529f09350b2062596d805877444f289f72
parent: e44f350d285678d1595fd5c05770c4e106007c58 (diff)
1 files changed, 8 insertions, 1 deletions
diff --git a/core/hdd/src/wlan_hdd_assoc.c b/core/hdd/src/wlan_hdd_assoc.c
index cb5183af4ab0..2254c4a7e916 100644
--- a/core/hdd/src/wlan_hdd_assoc.c
+++ b/core/hdd/src/wlan_hdd_assoc.c
@@ -6271,7 +6271,14 @@ static int __iw_set_essid(struct net_device *dev,
 	}
 #endif /* FEATURE_WLAN_WAPI */
 	/* if previous genIE is not NULL, update AssocIE */
-	if (0 != pWextState->genIE.length) {
+	if (pWextState->genIE.length != 0) {
+		if (pWextState->genIE.length >
+		    (SIR_MAC_MAX_ADD_IE_LENGTH + 2)) {
+			hdd_err("genIE length exceeds the maximum value: %d",
+				pWextState->genIE.length);
+			return -EINVAL;
+		}
+
 		memset(&pWextState->assocAddIE, 0,
 		       sizeof(pWextState->assocAddIE));
 		memcpy(pWextState->assocAddIE.addIEdata,
author	Sourav Mohapatra <mohapatr@codeaurora.org>	2018-06-19 09:41:16 +0530
committer	nshrivas <nshrivas@codeaurora.org>	2018-07-03 01:12:48 -0700
commit	1bfebea416681acdf3bedbf48d2059aed666817a (patch)
tree	845037529f09350b2062596d805877444f289f72
parent	e44f350d285678d1595fd5c05770c4e106007c58 (diff)