summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--core/mac/src/pe/lim/lim_process_fils.c16
1 files changed, 16 insertions, 0 deletions
diff --git a/core/mac/src/pe/lim/lim_process_fils.c b/core/mac/src/pe/lim/lim_process_fils.c
index 7ee3b4aa1ec7..c2d6f966b0d5 100644
--- a/core/mac/src/pe/lim/lim_process_fils.c
+++ b/core/mac/src/pe/lim/lim_process_fils.c
@@ -1352,6 +1352,12 @@ static QDF_STATUS lim_parse_kde_elements(tpAniSirGlobal mac_ctx,
return QDF_STATUS_E_FAILURE;
}
+ if (elem_len < KDE_IE_DATA_OFFSET) {
+ pe_err("Not enough len to parse elem_len %d",
+ elem_len);
+ return QDF_STATUS_E_FAILURE;
+ }
+
if (lim_check_if_vendor_oui_match(mac_ctx, KDE_OUI_TYPE,
KDE_OUI_TYPE_SIZE, current_ie, elem_len)) {
@@ -1361,6 +1367,11 @@ static QDF_STATUS lim_parse_kde_elements(tpAniSirGlobal mac_ctx,
switch (data_type) {
case DATA_TYPE_GTK:
+ if (data_len < GTK_OFFSET) {
+ pe_err("Invalid KDE data_len %d",
+ data_len);
+ return QDF_STATUS_E_FAILURE;
+ }
qdf_mem_copy(fils_info->gtk, (ie_data +
GTK_OFFSET), (data_len -
GTK_OFFSET));
@@ -1368,6 +1379,11 @@ static QDF_STATUS lim_parse_kde_elements(tpAniSirGlobal mac_ctx,
break;
case DATA_TYPE_IGTK:
+ if (data_len < IGTK_OFFSET) {
+ pe_err("Invalid KDE data_len %d",
+ data_len);
+ return QDF_STATUS_E_FAILURE;
+ }
fils_info->igtk_len = (data_len - IGTK_OFFSET);
qdf_mem_copy(fils_info->igtk, (ie_data +
IGTK_OFFSET), (data_len -