qcacld-2.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes()

Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen is user-controllable and never validates which uses as the length for a memory copy. This enables user-space applications to corrupt heap memory and potentially crash the kernel. Fix is to validate the WPARSNIes length to its max before use as the length for a memory copy. Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68 CRs-Fixed: 1102648
author: Nishank Aggarwal <naggar@codeaurora.org> 2017-01-12 14:32:02 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-02-05 22:33:40 -0800
commit: a7b3c4e774804f69f6ffbec343e3e20c0de18abf (patch)
tree: 4233984b0d7f73f41e1f373cbd3ca98c3fa95dba
parent: ddcbce9b6ba2f118ba822a7cb1e6fef78b901fab (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
index 56003d99c6c9..4358e404d0e8 100644
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -6099,6 +6099,13 @@ static int __iw_set_ap_genie(struct net_device *dev,
         return 0;
     }
 
+    if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
+       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+               "%s: WPARSN Ie input length is more than max[%d]", __func__,
+                wrqu->data.length);
+       return -EINVAL;
+    }
+
     switch (genie[0])
     {
         case DOT11F_EID_WPA:
author	Nishank Aggarwal <naggar@codeaurora.org>	2017-01-12 14:32:02 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-02-05 22:33:40 -0800
commit	a7b3c4e774804f69f6ffbec343e3e20c0de18abf (patch)
tree	4233984b0d7f73f41e1f373cbd3ca98c3fa95dba
parent	ddcbce9b6ba2f118ba822a7cb1e6fef78b901fab (diff)