diff options
| -rw-r--r-- | core/hdd/src/wlan_hdd_assoc.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/core/hdd/src/wlan_hdd_assoc.c b/core/hdd/src/wlan_hdd_assoc.c index 618b2875813a..dff5e4fec567 100644 --- a/core/hdd/src/wlan_hdd_assoc.c +++ b/core/hdd/src/wlan_hdd_assoc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -2258,8 +2258,9 @@ static void hdd_send_re_assoc_event(struct net_device *dev, goto done; } - if (pCsrRoamInfo->nAssocRspLength == 0) { - hdd_err("Assoc rsp length is 0"); + if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) { + hdd_err("Invalid assoc rsp length %d", + pCsrRoamInfo->nAssocRspLength); goto done; } @@ -2289,6 +2290,10 @@ static void hdd_send_re_assoc_event(struct net_device *dev, /* Send the Assoc Resp, the supplicant needs this for initial Auth */ len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; + if (len > IW_GENERIC_IE_MAX) { + hdd_err("Invalid Assoc resp length %d", len); + goto done; + } rspRsnLength = len; qdf_mem_copy(rspRsnIe, pFTAssocRsp, len); qdf_mem_zero(rspRsnIe + len, IW_GENERIC_IE_MAX - len); |