From 8cac3c4aac106b917e60e7aa7d4c4189e376913c Mon Sep 17 00:00:00 2001 From: Nishank Aggarwal Date: Fri, 10 Feb 2017 15:48:13 +0530 Subject: wlan: Fix buffer overflow in WLANSAP_Set_WPARSNIes() qcacld-2.0 to prima propagation Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen is user-controllable and never validates which uses as the length for a memory copy. This enables user-space applications to corrupt heap memory and potentially crash the kernel. Fix is to validate the WPARSNIes length to its max before use as the length for a memory copy. Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68 CRs-Fixed: 1102648 --- CORE/HDD/src/wlan_hdd_hostapd.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c index 33f7d50..c0c5c14 100644 --- a/CORE/HDD/src/wlan_hdd_hostapd.c +++ b/CORE/HDD/src/wlan_hdd_hostapd.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -4180,6 +4180,14 @@ static int __iw_set_ap_genie(struct net_device *dev, return 0; } + if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) + { + VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR, + "%s: WPARSN Ie input length is more than max[%d]", __func__, + wrqu->data.length); + return -EINVAL; + } + switch (genie[0]) { case DOT11F_EID_WPA: -- cgit v1.1