diff options
| author | Ashish Kumar Dhanotiya <adhanoti@codeaurora.org> | 2017-12-18 12:51:12 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-12-20 22:36:37 -0800 |
| commit | 42676e4cc7601e19a359f738e6cb21bb7c2f837a (patch) | |
| tree | 8d62bc33267df51e9adcdb3877252f52300d9fe5 | |
| parent | f1a7917686a20881b2cc0cd4dd890c161aa175bf (diff) | |
qcacld-3.0: Possible buffer overwrite in vendor scan request
In api "__wlan_hdd_cfg80211_vendor_scan", the ssid length is u8,
when memcpy is done for ssid, the length is not validated and
nla_len(attr) is used directly in memcpy which can result in buffer
overwrite.
Add a check to validate the max length of scan ssid against
SIR_MAC_MAX_SSID_LENGTH.
Change-Id: If4c25710973ee50094c5d52410269962f552ac3f
CRs-Fixed: 2153326
| -rw-r--r-- | core/hdd/src/wlan_hdd_scan.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/core/hdd/src/wlan_hdd_scan.c b/core/hdd/src/wlan_hdd_scan.c index 37dd626ebf6d..c9664d01a36d 100644 --- a/core/hdd/src/wlan_hdd_scan.c +++ b/core/hdd/src/wlan_hdd_scan.c @@ -2741,17 +2741,20 @@ static int __wlan_hdd_cfg80211_vendor_scan(struct wiphy *wiphy, request->n_channels = count; count = 0; if (tb[QCA_WLAN_VENDOR_ATTR_SCAN_SSIDS]) { + int ssid_length; nla_for_each_nested(attr, tb[QCA_WLAN_VENDOR_ATTR_SCAN_SSIDS], tmp) { - request->ssids[count].ssid_len = nla_len(attr); - if (request->ssids[count].ssid_len > - SIR_MAC_MAX_SSID_LENGTH) { + ssid_length = nla_len(attr); + if ((ssid_length > SIR_MAC_MAX_SSID_LENGTH) || + (ssid_length < 0)) { hdd_err("SSID Len %d is not correct for network %d", - request->ssids[count].ssid_len, count); + ssid_length, count); goto error; } + + request->ssids[count].ssid_len = ssid_length; memcpy(request->ssids[count].ssid, nla_data(attr), - nla_len(attr)); + ssid_length); count++; } } |
