diff options
| author | Ashish Kumar Dhanotiya <adhanoti@codeaurora.org> | 2020-02-11 17:57:11 +0530 |
|---|---|---|
| committer | Jeferson Oliveira <jroliveira.oliveira301@gmail.com> | 2021-08-17 21:06:41 +0200 |
| commit | 666a4b38619b2f3d4ede766d085719a1a3929fff (patch) | |
| tree | 87f9a2b8e12fb65d19a7241785df447880e139c3 | |
| parent | 0dbd12230571d12e6f4bfa85c690ecabdb1b35a8 (diff) | |
wlan: Validate assoc response IE len before copy
When host sends ft assoc response to supplicant, it
allocates a buffer of fixed size and copies a variable
length of assoc response IEs to this fixed sized buffer.
There is a possibility of OOB write to the allocated buffer
if the assoc response IEs length is greater than the
allocated buffer size.
To avoid above issue validate the assoc response IEs length
with the allocated buffer size before data copy to the buffer.
Change-Id: Ife9c2071a8cc4a2918b9f349f4024478f94b2d78
CRs-Fixed: 2616225
(cherry picked from commit c7ea2364eb458e2706b7bae3ed3e70fba7fa56e6)
| -rw-r--r-- | drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c index 56775f2b649..e52af45b96d 100644 --- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c +++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c @@ -354,10 +354,10 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap unsigned int len = 0; u8 *pFTAssocRsp = NULL; - if (pCsrRoamInfo->nAssocRspLength == 0) + if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) { hddLog(LOGE, - "%s: pCsrRoamInfo->nAssocRspLength=%d", + "%s: Invalid assoc rsp length %d", __func__, (int)pCsrRoamInfo->nAssocRspLength); return; } @@ -376,6 +376,16 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap (unsigned int)pFTAssocRsp[0], (unsigned int)pFTAssocRsp[1]); + /* Send the Assoc Resp, the supplicant needs this for initial Auth. */ + len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; + if (len > IW_GENERIC_IE_MAX) { + hddLog(LOGE, + "%s: Invalid assoc rsp length %d", + __func__, (int)pCsrRoamInfo->nAssocRspLength); + return; + } + wrqu.data.length = len; + // We need to send the IEs to the supplicant. buff = kmalloc(IW_GENERIC_IE_MAX, GFP_ATOMIC); if (buff == NULL) @@ -384,9 +394,6 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap return; } - // Send the Assoc Resp, the supplicant needs this for initial Auth. - len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; - wrqu.data.length = len; memset(buff, 0, IW_GENERIC_IE_MAX); memcpy(buff, pFTAssocRsp, len); wireless_send_event(dev, IWEVASSOCRESPIE, &wrqu, buff); |