From fb9fb202c71547dba648c9b08d97645c6f42ca6e Mon Sep 17 00:00:00 2001 From: Mahesh A Saptasagar Date: Wed, 28 Oct 2015 16:36:56 +0530 Subject: qcacld 2.0: Validate WPA and RSN IE for valid length prima to qcacld-2.0 propagation Return failure to applications if genie ioctl is invoked to configure WPS/WPA/RSN IEs with arguments of improper length. Change-Id: I2e034ef9f2537922be35d46ce266e6b99dab7bb6 CRs-Fixed: 931451 --- CORE/HDD/src/wlan_hdd_wext.c | 34 +++++++++++++++++++++++++--------- 1 file changed, 25 insertions(+), 9 deletions(-) diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c index 28a280b..4349e6b 100644 --- a/CORE/HDD/src/wlan_hdd_wext.c +++ b/CORE/HDD/src/wlan_hdd_wext.c @@ -2613,8 +2613,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info, case IE_EID_VENDOR: if ((IE_LEN_SIZE+IE_EID_SIZE+IE_VENDOR_OUI_SIZE) > eLen) /* should have at least OUI */ { - kfree(base_genie); - return -EINVAL; + ret = -EINVAL; + goto exit; } if (0 == memcmp(&genie[0], "\x00\x50\xf2\x04", 4)) @@ -2628,8 +2628,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info, hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. " "Need bigger buffer space"); VOS_ASSERT(0); - kfree(base_genie); - return -ENOMEM; + ret = -EINVAL; + goto exit; } // save to Additional IE ; it should be accumulated to handle WPS IE + other IE memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2); @@ -2638,6 +2638,14 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info, else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3)) { hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2); + if ((eLen + 2) > (sizeof(pWextState->WPARSNIE))) + { + hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. " + "Need bigger buffer space"); + ret = -EINVAL; + VOS_ASSERT(0); + goto exit; + } memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN ); memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2)); pWextState->roamProfile.pWPAReqIE = pWextState->WPARSNIE; @@ -2654,8 +2662,8 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info, hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. " "Need bigger buffer space"); VOS_ASSERT(0); - kfree(base_genie); - return -ENOMEM; + ret = -ENOMEM; + goto exit; } // save to Additional IE ; it should be accumulated to handle WPS IE + other IE memcpy( pWextState->genIE.addIEdata + curGenIELen, genie - 2, eLen + 2); @@ -2664,6 +2672,14 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info, break; case DOT11F_EID_RSN: hddLog (LOG1, "%s Set RSN IE (len %d)",__func__, eLen+2); + if ((eLen + 2) > (sizeof(pWextState->WPARSNIE))) + { + hddLog(VOS_TRACE_LEVEL_FATAL, "Cannot accommodate genIE. " + "Need bigger buffer space"); + ret = -EINVAL; + VOS_ASSERT(0); + goto exit; + } memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN ); memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2)); pWextState->roamProfile.pRSNReqIE = pWextState->WPARSNIE; @@ -2672,15 +2688,15 @@ static int __iw_set_genie(struct net_device *dev, struct iw_request_info *info, default: hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId); - kfree(base_genie); - return 0; + goto exit; } genie += eLen; remLen -= eLen; } +exit: EXIT(); kfree(base_genie); - return 0; + return ret; } /** -- cgit v1.1