summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDustin Brown <dustinb@codeaurora.org>2017-11-20 13:02:47 -0800
committersnandini <snandini@codeaurora.org>2017-11-28 10:36:57 -0800
commit8951c27064ef5f707a1756a0e661abaad4806445 (patch)
treef841010ef737af9b0e762a8116237aa6e95f3ee5
parent17ed2726f95dec6568a7293c7f341f452198eb93 (diff)
qcacld-3.0: Bounds check key length in __iw_set_ap_encodeext
__iw_set_ap_encodeext iterates over a key buffer based on a length that may be larger than the key buffer size. Bounds check the key length before iterating over the buffer, and reject the call if the length is too large. Change-Id: I2473905500470ab6c4e83f5822949bbc9d94f5f1 CRs-Fixed: 2146119
-rw-r--r--core/hdd/src/wlan_hdd_hostapd.c8
1 files changed, 4 insertions, 4 deletions
diff --git a/core/hdd/src/wlan_hdd_hostapd.c b/core/hdd/src/wlan_hdd_hostapd.c
index daf81c6add7e..79778160b1ed 100644
--- a/core/hdd/src/wlan_hdd_hostapd.c
+++ b/core/hdd/src/wlan_hdd_hostapd.c
@@ -4911,16 +4911,16 @@ static int __iw_set_ap_encodeext(struct net_device *dev,
/*Convert from 1-based to 0-based keying */
key_index--;
}
- if (!ext->key_len)
- return ret;
+
+ if (!ext->key_len || ext->key_len > CSR_MAX_KEY_LEN)
+ return -EINVAL;
qdf_mem_zero(&setKey, sizeof(tCsrRoamSetKey));
setKey.keyId = key_index;
setKey.keyLength = ext->key_len;
- if (ext->key_len <= CSR_MAX_KEY_LEN)
- qdf_mem_copy(&setKey.Key[0], ext->key, ext->key_len);
+ qdf_mem_copy(&setKey.Key[0], ext->key, ext->key_len);
if (ext->ext_flags & IW_ENCODE_EXT_GROUP_KEY) {
/*Key direction for group is RX only */