diff options
| author | tinlin <tinlin@codeaurora.org> | 2018-04-25 13:56:06 +0800 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-05-09 22:24:08 -0700 |
| commit | f2d57b233de8169eebd7a281e1668799a18f5988 (patch) | |
| tree | a12df113bf9c5619de52b988b46febcf2d0bea15 | |
| parent | 33f31d107c3540f45dac3fe1dfb5f21482ab6306 (diff) | |
qcacld-3.0: Fix overwrite in wlan_hdd_cfg80211_set_ie
Fix overwrite when handling RSN element and WAPI AKM suite
list in wlan_hdd_cfg80211_set_ie.
Change-Id: I63528da4c2dfafa22f2c6fc73afe52727af02b64
CRs-Fixed: 2228031
| -rw-r--r-- | core/hdd/src/wlan_hdd_cfg80211.c | 23 |
1 files changed, 13 insertions, 10 deletions
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index db94f74295d6..b06c72e4c49c 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -17441,9 +17441,9 @@ static int wlan_hdd_cfg80211_set_ie(hdd_adapter_t *pAdapter, const uint8_t *ie, uint16_t remLen = ie_len; #ifdef FEATURE_WLAN_WAPI uint32_t akmsuite[MAX_NUM_AKM_SUITES]; - u16 *tmp; + uint8_t *tmp; uint16_t akmsuiteCount; - int *akmlist; + uint32_t *akmlist; #endif int status; @@ -17637,12 +17637,12 @@ static int wlan_hdd_cfg80211_set_ie(hdd_adapter_t *pAdapter, const uint8_t *ie, } break; case DOT11F_EID_RSN: - hdd_debug("Set RSN IE(len %d)", eLen + 2); - if (eLen > (MAX_WPA_RSN_IE_LEN - 2)) { + if (eLen > DOT11F_IE_RSN_MAX_LEN) { hdd_err("%s: Invalid WPA RSN IE length[%d]", - __func__, eLen); + __func__, eLen); return -EINVAL; } + hdd_debug("Set RSN IE(len %d)", eLen + 2); memset(pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN); memcpy(pWextState->WPARSNIE, genie - 2, (eLen + 2)); @@ -17688,13 +17688,16 @@ static int wlan_hdd_cfg80211_set_ie(hdd_adapter_t *pAdapter, const uint8_t *ie, /* Setting WAPI Mode to ON=1 */ pAdapter->wapi_info.nWapiMode = 1; hdd_debug("WAPI MODE IS %u", pAdapter->wapi_info.nWapiMode); - tmp = (u16 *) ie; - tmp = tmp + 2; /* Skip element Id and Len, Version */ + tmp = (uint8_t *)ie; + tmp = tmp + 4; /* Skip element Id and Len, Version */ + /* Get the number of AKM suite */ akmsuiteCount = WPA_GET_LE16(tmp); - tmp = tmp + 1; - akmlist = (int *)(tmp); + /* Skip the number of AKM suite */ + tmp = tmp + 2; + /* AKM suite list, each OUI contains 4 bytes */ + akmlist = (uint32_t *)(tmp); if (akmsuiteCount <= MAX_NUM_AKM_SUITES) { - memcpy(akmsuite, akmlist, (4 * akmsuiteCount)); + memcpy(akmsuite, akmlist, akmsuiteCount); } else { hdd_err("Invalid akmSuite count: %u", akmsuiteCount); |