From c5060da3e741577578d66dfadb7922d853da6156 Mon Sep 17 00:00:00 2001 From: Naveen Rawat Date: Tue, 13 Jun 2017 17:29:51 -0700 Subject: qcacld-3.0: Add check for set_ft_ies buffer length Add check for buffer length in function sme_set_ft_ies. Change-Id: I7adc56e23316c0ceb193a5bdf8c4c0b5f4fbd20a CRs-Fixed: 2055659 --- core/hdd/src/wlan_hdd_wext.c | 5 +++++ core/sme/src/common/sme_ft_api.c | 4 ++-- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/core/hdd/src/wlan_hdd_wext.c b/core/hdd/src/wlan_hdd_wext.c index 637588d..9b35d19 100644 --- a/core/hdd/src/wlan_hdd_wext.c +++ b/core/hdd/src/wlan_hdd_wext.c @@ -13692,6 +13692,11 @@ static const struct iw_priv_args we_private_args[] = { IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1, "hostroamdelay"} , + + {WLAN_PRIV_SET_FTIES, + IW_PRIV_TYPE_CHAR | MAX_FTIE_SIZE, + 0, + "set_ft_ies"}, }; const struct iw_handler_def we_handler_def = { diff --git a/core/sme/src/common/sme_ft_api.c b/core/sme/src/common/sme_ft_api.c index de4b656..f97b2e4 100644 --- a/core/sme/src/common/sme_ft_api.c +++ b/core/sme/src/common/sme_ft_api.c @@ -150,6 +150,7 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id, switch (session->ftSmeContext.FTState) { case eFT_START_READY: case eFT_AUTH_REQ_READY: + sme_debug("ft_ies_length: %d", ft_ies_length); if ((session->ftSmeContext.auth_ft_ies) && (session->ftSmeContext.auth_ft_ies_length)) { /* Free the one we recvd last from supplicant */ @@ -157,6 +158,7 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id, session->ftSmeContext.auth_ft_ies_length = 0; session->ftSmeContext.auth_ft_ies = NULL; } + ft_ies_length = QDF_MIN(ft_ies_length, MAX_FTIE_SIZE); /* Save the FT IEs */ session->ftSmeContext.auth_ft_ies = qdf_mem_malloc(ft_ies_length); @@ -169,8 +171,6 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id, qdf_mem_copy((uint8_t *)session->ftSmeContext.auth_ft_ies, ft_ies, ft_ies_length); session->ftSmeContext.FTState = eFT_AUTH_REQ_READY; - - sme_debug("ft_ies_length: %d", ft_ies_length); break; case eFT_AUTH_COMPLETE: -- cgit v1.1