summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHong Shi <hongsh@codeaurora.org>2017-12-03 21:36:59 +0800
committersnandini <snandini@codeaurora.org>2017-12-05 20:02:12 -0800
commit7e82edc9f1ed60fa99dd4da29f91c4ad79470d7e (patch)
tree34b487b7df2c49b31574e8840cc87eba9fb2d668
parenta9ce6eaae95483282d709328d56512ee71fcff4c (diff)
qcacld-2.0: Fix buffer overread in lim_process_fils_auth_frame2
The return value validation is missing for dot11fUnpackIeRSN, thus "dot11f_ie_rsn.pmkid_count" could be larger than 4. When it is larger than 4 there will be a buffer over-read in vos_mem_compare. Add status check of dot11fUnpackIeRSN in lim_process_fils_auth_frame2. Change-Id: If563ddb13bbfcad5660d136c35c39846010594e1 CRs-Fixed: 2147955
Diffstat
-rw-r--r--CORE/MAC/src/pe/lim/lim_process_fils.c7
1 files changed, 5 insertions, 2 deletions
diff --git a/CORE/MAC/src/pe/lim/lim_process_fils.c b/CORE/MAC/src/pe/lim/lim_process_fils.c
index 455bcee725de..5ab7e27bab0d 100644
--- a/CORE/MAC/src/pe/lim/lim_process_fils.c
+++ b/CORE/MAC/src/pe/lim/lim_process_fils.c
@@ -1132,10 +1132,13 @@ bool lim_process_fils_auth_frame2(tpAniSirGlobal mac_ctx,
if (!pe_session->fils_info)
return false;
- dot11fUnpackIeRSN(mac_ctx,
+
+ if (dot11fUnpackIeRSN(mac_ctx,
&rx_auth_frm_body->rsn_ie.info[0],
rx_auth_frm_body->rsn_ie.length,
- &dot11f_ie_rsn);
+ &dot11f_ie_rsn) != DOT11F_PARSE_SUCCESS) {
+ return false;
+ }
for (i = 0; i < dot11f_ie_rsn.pmkid_count; i++) {
if (vos_mem_compare(dot11f_ie_rsn.pmkid[i],
generated by cgit v1.2.3 (git 2.25.1) at 2026-01-06 01:59:34 +0000