summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAshish Kumar Dhanotiya <adhanoti@codeaurora.org>2017-12-18 12:51:12 +0530
committersnandini <snandini@codeaurora.org>2017-12-20 22:36:37 -0800
commit42676e4cc7601e19a359f738e6cb21bb7c2f837a (patch)
tree8d62bc33267df51e9adcdb3877252f52300d9fe5
parentf1a7917686a20881b2cc0cd4dd890c161aa175bf (diff)
qcacld-3.0: Possible buffer overwrite in vendor scan request
In api "__wlan_hdd_cfg80211_vendor_scan", the ssid length is u8, when memcpy is done for ssid, the length is not validated and nla_len(attr) is used directly in memcpy which can result in buffer overwrite. Add a check to validate the max length of scan ssid against SIR_MAC_MAX_SSID_LENGTH. Change-Id: If4c25710973ee50094c5d52410269962f552ac3f CRs-Fixed: 2153326
-rw-r--r--core/hdd/src/wlan_hdd_scan.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/core/hdd/src/wlan_hdd_scan.c b/core/hdd/src/wlan_hdd_scan.c
index 37dd626ebf6d..c9664d01a36d 100644
--- a/core/hdd/src/wlan_hdd_scan.c
+++ b/core/hdd/src/wlan_hdd_scan.c
@@ -2741,17 +2741,20 @@ static int __wlan_hdd_cfg80211_vendor_scan(struct wiphy *wiphy,
request->n_channels = count;
count = 0;
if (tb[QCA_WLAN_VENDOR_ATTR_SCAN_SSIDS]) {
+ int ssid_length;
nla_for_each_nested(attr, tb[QCA_WLAN_VENDOR_ATTR_SCAN_SSIDS],
tmp) {
- request->ssids[count].ssid_len = nla_len(attr);
- if (request->ssids[count].ssid_len >
- SIR_MAC_MAX_SSID_LENGTH) {
+ ssid_length = nla_len(attr);
+ if ((ssid_length > SIR_MAC_MAX_SSID_LENGTH) ||
+ (ssid_length < 0)) {
hdd_err("SSID Len %d is not correct for network %d",
- request->ssids[count].ssid_len, count);
+ ssid_length, count);
goto error;
}
+
+ request->ssids[count].ssid_len = ssid_length;
memcpy(request->ssids[count].ssid, nla_data(attr),
- nla_len(attr));
+ ssid_length);
count++;
}
}