diff options
| author | Vignesh Viswanathan <viswanat@codeaurora.org> | 2018-05-29 10:27:51 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-06-04 00:27:45 -0700 |
| commit | 481d44117c1a4314b7ace2f176ea7db75f4ece99 (patch) | |
| tree | 1d8094927a66731ead5fcfd1210b52eeed4c3422 | |
| parent | d02af1b676d5113445975f275afe7bbdb0396a7e (diff) | |
qcacld-3.0: Validate TLV length in FILS wrapped data before processing
While processing FILS EAP TLVs present in FILS wrapped data in Auth Frame,
the tlv->length from the frame is used as the length to copy the buffer
into the FILS auth info without validating if the received buffer
length is at least greater than the length value in the TLV buffer.
This would lead to OOB read if the TLV length present in the frame is
greater than the actual data_len of the FILS wrapped data.
Add sanity check to return error if tlv->length is greater than wrapped
data_len + 2 with 2 bytes for the TLV header.
Change-Id: Ibe1183c8e318ceb75db6278c935786322a029d5c
CRs-Fixed: 2245944
| -rw-r--r-- | core/mac/src/pe/lim/lim_process_fils.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/core/mac/src/pe/lim/lim_process_fils.c b/core/mac/src/pe/lim/lim_process_fils.c index 0056b5ab2876..4877816d63c0 100644 --- a/core/mac/src/pe/lim/lim_process_fils.c +++ b/core/mac/src/pe/lim/lim_process_fils.c @@ -349,6 +349,13 @@ static uint32_t lim_process_fils_eap_tlv(tpPESession pe_session, pe_debug("tlv type %x len %u total %u", tlv->type, tlv->length, data_len); + + if (tlv->length > (data_len - 2)) { + pe_err("tlv len %d greater data_len %d", + tlv->length, data_len); + return 0; + } + switch (tlv->type) { case SIR_FILS_EAP_TLV_KEYNAME_NAI: auth_info->keyname = qdf_mem_malloc(tlv->length); |