prima: Fix buffer overflow in WLANSAP_Set_WPARSNIes()

Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen is user-controllable and never validates which uses as the length for a memory copy. This enables user-space applications to corrupt heap memory and potentially crash the kernel. Fix is to validate the WPARSNIes length to its max before use as the length for a memory copy. Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68 CRs-Fixed: 1102648
author: Nishank Aggarwal <naggar@codeaurora.org> 2017-01-12 14:32:02 +0530
committer: Joey Rizzoli <joey@lineageos.org> 2017-05-02 15:35:09 +0200
commit: 04486243925e7dccc9ec6ad6642b2ba3fbddaab5 (patch)
tree: 9110ddda4423bcd1e6f9191ba1e0d28723f5169a
parent: 3b6be5664eec2f2a873d9c83280c0de0eb1bb330 (diff)
1 files changed, 7 insertions, 0 deletions
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
index 90b9ec459c1..500ec9be3a4 100644
--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -3952,6 +3952,13 @@ static int __iw_set_ap_genie(struct net_device *dev,
         return 0;
     }
 
+    if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
+       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+               "%s: WPARSN Ie input length is more than max[%d]", __func__,
+                wrqu->data.length);
+       return -EINVAL;
+    }
+
     switch (genie[0])
     {
         case DOT11F_EID_WPA:
author	Nishank Aggarwal <naggar@codeaurora.org>	2017-01-12 14:32:02 +0530
committer	Joey Rizzoli <joey@lineageos.org>	2017-05-02 15:35:09 +0200
commit	04486243925e7dccc9ec6ad6642b2ba3fbddaab5 (patch)
tree	9110ddda4423bcd1e6f9191ba1e0d28723f5169a
parent	3b6be5664eec2f2a873d9c83280c0de0eb1bb330 (diff)