From af8a9e6878443bf6ff8d63deaaa55e4a22b914ff Mon Sep 17 00:00:00 2001 From: Varun Reddy Yeturu Date: Wed, 2 Aug 2017 16:47:51 -0700 Subject: qcacld-3.0: Fix wpa index overflow issue Check if wpa index for the OUI retrieval is going beyond the limit of the array and return Change-Id: I040246d7a7c2ca387282dc4d86ffdbdf34007323 CRs-Fixed: 2085702 --- core/sme/src/csr/csr_util.c | 29 ++++++++++++++++++++++++----- 1 file changed, 24 insertions(+), 5 deletions(-) diff --git a/core/sme/src/csr/csr_util.c b/core/sme/src/csr/csr_util.c index c0bf9be311d5..9773d11f9e74 100644 --- a/core/sme/src/csr/csr_util.c +++ b/core/sme/src/csr/csr_util.c @@ -3792,6 +3792,7 @@ static bool csr_get_wpa_cyphers(tpAniSirGlobal mac_ctx, tCsrAuthList *auth_type, uint8_t authentication[CSR_WPA_OUI_SIZE]; uint8_t mccipher_arr[1][CSR_WPA_OUI_SIZE]; uint8_t i; + uint8_t index; eCsrAuthType neg_authtype = eCSR_AUTH_TYPE_UNKNOWN; if (!wpa_ie->present) @@ -3801,20 +3802,38 @@ static bool csr_get_wpa_cyphers(tpAniSirGlobal mac_ctx, tCsrAuthList *auth_type, c_ucast_cipher = (uint8_t) (wpa_ie->unicast_cipher_count); c_auth_suites = (uint8_t) (wpa_ie->auth_suite_count); + /* + * csr_match_wpaoui_index will provide the index of the + * array csr_wpa_oui to be read and determine if it is + * accepatable cipher or not. Below check ensures that + * the index will not be out of range of the array size. + */ + index = csr_get_oui_index_from_cipher(encr_type); + if (!(index < (sizeof(csr_wpa_oui)/CSR_WPA_OUI_SIZE))) { + sme_debug("Unacceptable index: %d", index); + goto end; + } + + sme_debug("kw_dbg: index: %d", index); /* Check - Is requested unicast Cipher supported by the BSS. */ acceptable_cipher = csr_match_wpaoui_index(mac_ctx, wpa_ie->unicast_ciphers, c_ucast_cipher, - csr_get_oui_index_from_cipher(encr_type), - unicast); + index, unicast); if (!acceptable_cipher) goto end; /* unicast is supported. Pick the first matching Group cipher, if any */ for (i = 0; i < mc_encryption->numEntries; i++) { + index = csr_get_oui_index_from_cipher( + mc_encryption->encryptionType[i]); + sme_debug("kw_dbg: index: %d", index); + if (!(index < (sizeof(csr_wpa_oui)/CSR_WPA_OUI_SIZE))) { + sme_debug("Unacceptable MC index: %d", index); + acceptable_cipher = false; + continue; + } acceptable_cipher = csr_match_wpaoui_index(mac_ctx, mccipher_arr, c_mcast_cipher, - csr_get_oui_index_from_cipher( - mc_encryption->encryptionType[i]), - multicast); + index, multicast); if (acceptable_cipher) break; } -- cgit v1.2.3