From 2c8961821b7691a95cbf5ecc6996e8229d6d5303 Mon Sep 17 00:00:00 2001 From: Arun Khandavalli Date: Mon, 9 Nov 2015 10:28:18 +0530 Subject: wlan: validate essid length before processing scan req Presently we are not validating the length of the essid received and directly copying the buffer without size checking. Perform bound checking before processing the scan req. Change-Id: I786e4feb67bf039df3d217138a412da54f51787d CRs-fixed: 890228 --- CORE/HDD/src/wlan_hdd_scan.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/CORE/HDD/src/wlan_hdd_scan.c b/CORE/HDD/src/wlan_hdd_scan.c index 8d3fa84..709fdec 100644 --- a/CORE/HDD/src/wlan_hdd_scan.c +++ b/CORE/HDD/src/wlan_hdd_scan.c @@ -740,7 +740,8 @@ int __iw_set_scan(struct net_device *dev, struct iw_request_info *info, if (wrqu->data.flags & IW_SCAN_THIS_ESSID) { - if(scanReq->essid_len) { + if(scanReq->essid_len && + (scanReq->essid_len <= SIR_MAC_MAX_SSID_LENGTH)) { scanRequest.SSIDs.numOfSSIDs = 1; scanRequest.SSIDs.SSIDList =( tCsrSSIDInfo *)vos_mem_malloc(sizeof(tCsrSSIDInfo)); if(scanRequest.SSIDs.SSIDList) { @@ -754,6 +755,10 @@ int __iw_set_scan(struct net_device *dev, struct iw_request_info *info, VOS_ASSERT(0); } } + else + { + hddLog(LOGE, FL("Invalid essid length : %d"), scanReq->essid_len); + } } /* set min and max channel time */ -- cgit v1.1