From 4e44b25b26a594aa8180827729d2b298c894fc5d Mon Sep 17 00:00:00 2001 From: Nishank Aggarwal Date: Mon, 30 Jan 2017 15:32:32 +0530 Subject: qcacld-3.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes() qcacld-2.0 to qcacld-3.0 propagation Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen is user-controllable and never validates which uses as the length for a memory copy. This enables user-space applications to corrupt heap memory and potentially crash the kernel. Fix is to validate the WPARSNIes length to its max before use as the length for a memory copy. Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68 CRs-Fixed: 1102648 --- core/hdd/src/wlan_hdd_hostapd.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/core/hdd/src/wlan_hdd_hostapd.c b/core/hdd/src/wlan_hdd_hostapd.c index c01d6a6..78c9df6 100644 --- a/core/hdd/src/wlan_hdd_hostapd.c +++ b/core/hdd/src/wlan_hdd_hostapd.c @@ -4979,6 +4979,12 @@ static int __iw_set_ap_genie(struct net_device *dev, return 0; } + if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) { + hdd_err("%s: WPARSN Ie input length is more than max[%d]", + __func__, wrqu->data.length); + return QDF_STATUS_E_INVAL; + } + switch (genie[0]) { case DOT11F_EID_WPA: case DOT11F_EID_RSN: -- cgit v1.1