mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
51 lines
1.6 KiB
Diff
51 lines
1.6 KiB
Diff
|
From 8cac3c4aac106b917e60e7aa7d4c4189e376913c Mon Sep 17 00:00:00 2001
|
||
|
From: Nishank Aggarwal <naggar@codeaurora.org>
|
||
|
Date: Fri, 10 Feb 2017 15:48:13 +0530
|
||
|
Subject: wlan: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
|
||
|
|
||
|
qcacld-2.0 to prima propagation
|
||
|
|
||
|
Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
|
||
|
is user-controllable and never validates which uses as the length
|
||
|
for a memory copy. This enables user-space applications to corrupt
|
||
|
heap memory and potentially crash the kernel.
|
||
|
|
||
|
Fix is to validate the WPARSNIes length to its max before use as the
|
||
|
length for a memory copy.
|
||
|
|
||
|
Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
|
||
|
CRs-Fixed: 1102648
|
||
|
---
|
||
|
CORE/HDD/src/wlan_hdd_hostapd.c | 10 +++++++++-
|
||
|
1 file changed, 9 insertions(+), 1 deletion(-)
|
||
|
|
||
|
diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
|
||
|
index 33f7d50..c0c5c14 100644
|
||
|
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
|
||
|
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
|
||
|
@@ -1,5 +1,5 @@
|
||
|
/*
|
||
|
- * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
|
||
|
+ * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
|
||
|
*
|
||
|
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||
|
*
|
||
|
@@ -4180,6 +4180,14 @@ static int __iw_set_ap_genie(struct net_device *dev,
|
||
|
return 0;
|
||
|
}
|
||
|
|
||
|
+ if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN)
|
||
|
+ {
|
||
|
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
|
||
|
+ "%s: WPARSN Ie input length is more than max[%d]", __func__,
|
||
|
+ wrqu->data.length);
|
||
|
+ return -EINVAL;
|
||
|
+ }
|
||
|
+
|
||
|
switch (genie[0])
|
||
|
{
|
||
|
case DOT11F_EID_WPA:
|
||
|
--
|
||
|
cgit v1.1
|
||
|
|