qcacld-3.0: Validate wpa ie length before extracting ie

During initializing ibss security settings there is a possibility of integer underflow while extracting wpa ie because of ie length check miss. Add wpa ie length boundary check before extracting wpa ie. Change-Id: I37d8ee5ea1e1ba12277128a1407783f5647251b6 CRs-Fixed: 2151241
author: Hanumanth Reddy Pothula <c_hpothu@codeaurora.org> 2018-01-19 18:00:03 +0530
committer: snandini <snandini@codeaurora.org> 2018-01-24 04:59:54 -0800
commit: f03572b1aa936e5a13f4297ae62c81ecf9149fd3 (patch)
tree: fe86d5c2f890175b4aa884b1280f09753c93b64c /core
parent: 11acf7d95b827d40c3648d4efead2add627be715 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
index dd8b7d151b79..f18083621984 100644
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -18797,6 +18797,11 @@ static int wlan_hdd_cfg80211_set_privacy_ibss(hdd_adapter_t *pAdapter,
 			if (NULL != ie) {
 				pWextState->wpaVersion =
 					IW_AUTH_WPA_VERSION_WPA;
+				if (ie[1] < DOT11F_IE_WPA_MIN_LEN ||
+				    ie[1] > DOT11F_IE_WPA_MAX_LEN) {
+					hdd_err("invalid ie len:%d", ie[1]);
+					return -EINVAL;
+				}
 				/* Unpack the WPA IE */
 				/* Skip past the EID byte and length byte - and four byte WiFi OUI */
 				dot11f_unpack_ie_wpa((tpAniSirGlobal) halHandle,
author	Hanumanth Reddy Pothula <c_hpothu@codeaurora.org>	2018-01-19 18:00:03 +0530
committer	snandini <snandini@codeaurora.org>	2018-01-24 04:59:54 -0800
commit	f03572b1aa936e5a13f4297ae62c81ecf9149fd3 (patch)
tree	fe86d5c2f890175b4aa884b1280f09753c93b64c /core
parent	11acf7d95b827d40c3648d4efead2add627be715 (diff)