qcacld-3.0: Validate Country IE length before copying country code

During starting of SAP, after extracting the pointer to the country IE, country code is copied without proper IE length validation. A smaller than accceptible IE length can cause out of bound memory access. Validate length with with the minimum acceptible length before copying. Change-Id: Ie2115bdbd22badd51ea40d028331ef1a74b02281 CRs-Fixed: 2150285
author: Nachiket Kukade <nkukade@codeaurora.org> 2017-11-29 15:06:20 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-12-08 00:58:51 -0800
commit: bc5f01389bdde4e39d6fda8c29b64bd2d47eab45 (patch)
tree: 513f051b57ae8858c9813d8ebd11a93a4116f193
parent: 36d236c3ee4034d51af0a4a93a219cf6f29164c3 (diff)
1 files changed, 6 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_hostapd.c b/core/hdd/src/wlan_hdd_hostapd.c
index 1ba0f9986cc7..7de80fa1226e 100644
--- a/core/hdd/src/wlan_hdd_hostapd.c
+++ b/core/hdd/src/wlan_hdd_hostapd.c
@@ -7952,6 +7952,12 @@ int wlan_hdd_cfg80211_start_bss(hdd_adapter_t *pHostapdAdapter,
 						     pBeacon->tail_len,
 						     WLAN_EID_COUNTRY);
 		if (pIe) {
+			if (pIe[1] < IEEE80211_COUNTRY_IE_MIN_LEN) {
+				hdd_err("Invalid Country IE len: %d", pIe[1]);
+				ret = -EINVAL;
+				goto error;
+			}
+
 			pConfig->ieee80211d = 1;
 			qdf_mem_copy(pConfig->countryCode, &pIe[2], 3);
 			sme_set_reg_info(hHal, pConfig->countryCode);
author	Nachiket Kukade <nkukade@codeaurora.org>	2017-11-29 15:06:20 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-12-08 00:58:51 -0800
commit	bc5f01389bdde4e39d6fda8c29b64bd2d47eab45 (patch)
tree	513f051b57ae8858c9813d8ebd11a93a4116f193
parent	36d236c3ee4034d51af0a4a93a219cf6f29164c3 (diff)