diff options
| author | Abhinav Kumar <abhikuma@codeaurora.org> | 2017-12-21 16:27:03 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2018-01-17 04:06:21 -0800 |
| commit | 29ac431ca4acbca9f3fbe40b5791c83a7c87f7a1 (patch) | |
| tree | 4363765e7216ff011270e464eaabc014795b5116 | |
| parent | 5dfa87a820a385c7b9aeb8241c32202ba67ec72f (diff) | |
qcacld-2.0: Fix buffer overwrite due to ssid_len in WMA handlers
In multiple WMA event handler functions, ssid_len is used to copy
ssid from FW buffer to local buffer and ssid_len value is received
from the FW. If the ssid_len value exceeds SIR_MAC_MAX_SSID_LENGTH
then a buffer overwrite would occur.
Add sanity check for ssid_len against SIR_MAC_MAX_SSID_LENGTH in
multiple WMA handler functions
Change-Id: I9e4b1f88c275093b4912496cdb936cf54a8880a2
CRs-Fixed: 2162678
| -rw-r--r-- | CORE/SERVICES/WMA/wma.c | 18 |
1 files changed, 17 insertions, 1 deletions
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c index cab494490fe0..3743e56ef09d 100644 --- a/CORE/SERVICES/WMA/wma.c +++ b/CORE/SERVICES/WMA/wma.c @@ -4378,6 +4378,11 @@ static int wma_extscan_hotlist_match_event_handler(void *handle, dest_ap->ieLength = src_hotlist-> ie_length; WMI_MAC_ADDR_TO_CHAR_ARRAY(&src_hotlist->bssid, dest_ap->bssid); + if (src_hotlist->ssid.ssid_len > SIR_MAC_MAX_SSID_LENGTH) { + WMA_LOGE("%s Invalid SSID len %d, truncating", + __func__, src_hotlist->ssid.ssid_len); + src_hotlist->ssid.ssid_len = SIR_MAC_MAX_SSID_LENGTH; + } vos_mem_copy(dest_ap->ssid, src_hotlist->ssid.ssid, src_hotlist->ssid.ssid_len); dest_ap->ssid[src_hotlist->ssid.ssid_len] = '\0'; @@ -4552,6 +4557,13 @@ static int wma_group_num_bss_to_scan_id(const u_int8_t *cmd_param_info, WMI_MAC_ADDR_TO_CHAR_ARRAY(&src_hotlist->bssid, ap->bssid); + if (src_hotlist->ssid.ssid_len > + SIR_MAC_MAX_SSID_LENGTH) { + WMA_LOGD("%s Invalid SSID len %d, truncating", + __func__, src_hotlist->ssid.ssid_len); + src_hotlist->ssid.ssid_len = + SIR_MAC_MAX_SSID_LENGTH; + } vos_mem_copy(ap->ssid, src_hotlist->ssid.ssid, src_hotlist->ssid.ssid_len); ap->ssid[src_hotlist->ssid.ssid_len] = '\0'; @@ -4860,9 +4872,13 @@ static int wma_passpoint_match_event_handler(void *handle, WMA_SVC_MSG_MAX_SIZE) { WMA_LOGE("IE Length: %d or ANQP Length: %d is huge", event->ie_length, event->anqp_length); - VOS_ASSERT(0); return -EINVAL; } + if (event->ssid.ssid_len > SIR_MAC_MAX_SSID_LENGTH) { + WMA_LOGD("%s: Invalid ssid len %d, truncating", + __func__, event->ssid.ssid_len); + event->ssid.ssid_len = SIR_MAC_MAX_SSID_LENGTH; + } dest_match = vos_mem_malloc(sizeof(*dest_match) + event->ie_length + event->anqp_length); if (!dest_match) { |