diff options
| author | Linux Build Service Account <lnxbuild@localhost> | 2020-12-23 12:25:08 -0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2020-12-23 12:25:07 -0800 |
| commit | 511f7a3487e32c2ca0195849f181ca65fa1a6028 (patch) | |
| tree | 3799736433f575840627959c89fb138bb8c0dffd | |
| parent | 1b52ad499b3bd82fec814bdc1c01919b1491c287 (diff) | |
| parent | 075d8a89a7574a2a124c088f091376ddeeee004e (diff) | |
Merge "qcacld-3.0: Validate assoc response IE len before copy"
| -rw-r--r-- | core/hdd/src/wlan_hdd_assoc.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/core/hdd/src/wlan_hdd_assoc.c b/core/hdd/src/wlan_hdd_assoc.c index fbc929befe0a..128cee0387f4 100644 --- a/core/hdd/src/wlan_hdd_assoc.c +++ b/core/hdd/src/wlan_hdd_assoc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -2214,8 +2214,9 @@ static void hdd_send_re_assoc_event(struct net_device *dev, goto done; } - if (pCsrRoamInfo->nAssocRspLength == 0) { - hdd_err("Assoc rsp length is 0"); + if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) { + hdd_err("Invalid assoc rsp length %d", + pCsrRoamInfo->nAssocRspLength); goto done; } @@ -2245,6 +2246,10 @@ static void hdd_send_re_assoc_event(struct net_device *dev, /* Send the Assoc Resp, the supplicant needs this for initial Auth */ len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; + if (len > IW_GENERIC_IE_MAX) { + hdd_err("Invalid Assoc resp length %d", len); + goto done; + } rspRsnLength = len; qdf_mem_copy(rspRsnIe, pFTAssocRsp, len); qdf_mem_zero(rspRsnIe + len, IW_GENERIC_IE_MAX - len); |