From bc5f01389bdde4e39d6fda8c29b64bd2d47eab45 Mon Sep 17 00:00:00 2001 From: Nachiket Kukade Date: Wed, 29 Nov 2017 15:06:20 +0530 Subject: qcacld-3.0: Validate Country IE length before copying country code During starting of SAP, after extracting the pointer to the country IE, country code is copied without proper IE length validation. A smaller than accceptible IE length can cause out of bound memory access. Validate length with with the minimum acceptible length before copying. Change-Id: Ie2115bdbd22badd51ea40d028331ef1a74b02281 CRs-Fixed: 2150285 --- core/hdd/src/wlan_hdd_hostapd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/hdd/src/wlan_hdd_hostapd.c b/core/hdd/src/wlan_hdd_hostapd.c index 1ba0f9986cc7..7de80fa1226e 100644 --- a/core/hdd/src/wlan_hdd_hostapd.c +++ b/core/hdd/src/wlan_hdd_hostapd.c @@ -7952,6 +7952,12 @@ int wlan_hdd_cfg80211_start_bss(hdd_adapter_t *pHostapdAdapter, pBeacon->tail_len, WLAN_EID_COUNTRY); if (pIe) { + if (pIe[1] < IEEE80211_COUNTRY_IE_MIN_LEN) { + hdd_err("Invalid Country IE len: %d", pIe[1]); + ret = -EINVAL; + goto error; + } + pConfig->ieee80211d = 1; qdf_mem_copy(pConfig->countryCode, &pIe[2], 3); sme_set_reg_info(hHal, pConfig->countryCode); -- cgit v1.2.3