diff options
| author | Hanumanth Reddy Pothula <c_hpothu@codeaurora.org> | 2018-01-19 18:00:03 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2018-01-24 04:59:54 -0800 |
| commit | f03572b1aa936e5a13f4297ae62c81ecf9149fd3 (patch) | |
| tree | fe86d5c2f890175b4aa884b1280f09753c93b64c | |
| parent | 11acf7d95b827d40c3648d4efead2add627be715 (diff) | |
qcacld-3.0: Validate wpa ie length before extracting ie
During initializing ibss security settings there is a possibility
of integer underflow while extracting wpa ie because of ie length
check miss.
Add wpa ie length boundary check before extracting wpa ie.
Change-Id: I37d8ee5ea1e1ba12277128a1407783f5647251b6
CRs-Fixed: 2151241
| -rw-r--r-- | core/hdd/src/wlan_hdd_cfg80211.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index dd8b7d151b79..f18083621984 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -18797,6 +18797,11 @@ static int wlan_hdd_cfg80211_set_privacy_ibss(hdd_adapter_t *pAdapter, if (NULL != ie) { pWextState->wpaVersion = IW_AUTH_WPA_VERSION_WPA; + if (ie[1] < DOT11F_IE_WPA_MIN_LEN || + ie[1] > DOT11F_IE_WPA_MAX_LEN) { + hdd_err("invalid ie len:%d", ie[1]); + return -EINVAL; + } /* Unpack the WPA IE */ /* Skip past the EID byte and length byte - and four byte WiFi OUI */ dot11f_unpack_ie_wpa((tpAniSirGlobal) halHandle, |