From 481d44117c1a4314b7ace2f176ea7db75f4ece99 Mon Sep 17 00:00:00 2001 From: Vignesh Viswanathan Date: Tue, 29 May 2018 10:27:51 +0530 Subject: qcacld-3.0: Validate TLV length in FILS wrapped data before processing While processing FILS EAP TLVs present in FILS wrapped data in Auth Frame, the tlv->length from the frame is used as the length to copy the buffer into the FILS auth info without validating if the received buffer length is at least greater than the length value in the TLV buffer. This would lead to OOB read if the TLV length present in the frame is greater than the actual data_len of the FILS wrapped data. Add sanity check to return error if tlv->length is greater than wrapped data_len + 2 with 2 bytes for the TLV header. Change-Id: Ibe1183c8e318ceb75db6278c935786322a029d5c CRs-Fixed: 2245944 --- core/mac/src/pe/lim/lim_process_fils.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/core/mac/src/pe/lim/lim_process_fils.c b/core/mac/src/pe/lim/lim_process_fils.c index 0056b5ab2876..4877816d63c0 100644 --- a/core/mac/src/pe/lim/lim_process_fils.c +++ b/core/mac/src/pe/lim/lim_process_fils.c @@ -349,6 +349,13 @@ static uint32_t lim_process_fils_eap_tlv(tpPESession pe_session, pe_debug("tlv type %x len %u total %u", tlv->type, tlv->length, data_len); + + if (tlv->length > (data_len - 2)) { + pe_err("tlv len %d greater data_len %d", + tlv->length, data_len); + return 0; + } + switch (tlv->type) { case SIR_FILS_EAP_TLV_KEYNAME_NAI: auth_info->keyname = qdf_mem_malloc(tlv->length); -- cgit v1.2.3