diff options
| author | bings <bings@codeaurora.org> | 2018-08-01 16:11:48 +0800 |
|---|---|---|
| committer | bings <bings@codeaurora.org> | 2018-08-09 13:59:29 +0800 |
| commit | 8c91fc67bccea86dc609e5eb692381854247a67a (patch) | |
| tree | 96bcbefc6548ac239ddc08f3085da0c982b94ec9 | |
| parent | d41491e38e849c9e40fe779ebf298499773fecf4 (diff) | |
qcacld-2.0: Add sanity check variable_data len in update_fils_data
propagation from qcacld-3.0 to qcacld-2.0
In function update_fils_data, fils_indication->num_variable_data
is the actual length of the data present in the array variable_data.
While accessing variable_data array to copy cache identifier, HESSID
and realm identifiers, the length of the array is not checked and
could lead to OOB access.
Add check to validate remaining data length in variable_data array
before accessing it to copy various fields.
Change-Id: Ifc1f5d55964bcd7fdcc2676ea9c2afede0fe6803
CRs-Fixed: 2288859
| -rw-r--r-- | CORE/SYS/legacy/src/utils/src/parserApi.c | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/CORE/SYS/legacy/src/utils/src/parserApi.c b/CORE/SYS/legacy/src/utils/src/parserApi.c index b9103e9182f3..b7f1252580ea 100644 --- a/CORE/SYS/legacy/src/utils/src/parserApi.c +++ b/CORE/SYS/legacy/src/utils/src/parserApi.c @@ -2377,6 +2377,7 @@ static void update_fils_data(struct sir_fils_indication *fils_ind, tDot11fIEfils_indication *fils_indication) { uint8_t *data; + uint8_t remaining_data = fils_indication->num_variable_data; data = fils_indication->variable_data; fils_ind->is_present = true; @@ -2389,18 +2390,36 @@ static void update_fils_data(struct sir_fils_indication *fils_ind, fils_ind->is_pk_auth_supported = fils_indication->is_pk_auth_supported; if (fils_indication->is_cache_id_present) { + if (remaining_data < SIR_CACHE_IDENTIFIER_LEN) { + pe_err("Failed to copy Cache Identifier, Invalid remaining data %d", + remaining_data); + return; + } fils_ind->cache_identifier.is_present = true; vos_mem_copy(fils_ind->cache_identifier.identifier, data, SIR_CACHE_IDENTIFIER_LEN); data = data + SIR_CACHE_IDENTIFIER_LEN; + remaining_data = remaining_data - SIR_CACHE_IDENTIFIER_LEN; } if (fils_indication->is_hessid_present) { + if (remaining_data < SIR_HESSID_LEN) { + pe_err("Failed to copy HESSID, Invalid remaining data %d", + remaining_data); + return; + } fils_ind->hessid.is_present = true; vos_mem_copy(fils_ind->hessid.hessid, data, SIR_HESSID_LEN); data = data + SIR_HESSID_LEN; + remaining_data = remaining_data - SIR_HESSID_LEN; } if (fils_indication->realm_identifiers_cnt) { + if (remaining_data < (fils_indication->realm_identifiers_cnt * + SIR_REALM_LEN)) { + pe_err("Failed to copy Realm Identifier, Invalid remaining data %d realm_cnt %d", + remaining_data, fils_indication->realm_identifiers_cnt); + return; + } fils_ind->realm_identifier.is_present = true; fils_ind->realm_identifier.realm_cnt = fils_indication->realm_identifiers_cnt; |