DivestOS/Patches/Linux_CVEs/CVE-2017-11035/ANY/0001.patch
2017-11-07 17:32:46 -05:00

63 lines
2.1 KiB
Diff

From c5060da3e741577578d66dfadb7922d853da6156 Mon Sep 17 00:00:00 2001
From: Naveen Rawat <naveenrawat@codeaurora.org>
Date: Tue, 13 Jun 2017 17:29:51 -0700
Subject: qcacld-3.0: Add check for set_ft_ies buffer length
Add check for buffer length in function sme_set_ft_ies.
Change-Id: I7adc56e23316c0ceb193a5bdf8c4c0b5f4fbd20a
CRs-Fixed: 2055659
---
core/hdd/src/wlan_hdd_wext.c | 5 +++++
core/sme/src/common/sme_ft_api.c | 4 ++--
2 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/core/hdd/src/wlan_hdd_wext.c b/core/hdd/src/wlan_hdd_wext.c
index 637588d..9b35d19 100644
--- a/core/hdd/src/wlan_hdd_wext.c
+++ b/core/hdd/src/wlan_hdd_wext.c
@@ -13692,6 +13692,11 @@ static const struct iw_priv_args we_private_args[] = {
IW_PRIV_TYPE_INT | IW_PRIV_SIZE_FIXED | 1,
"hostroamdelay"}
,
+
+ {WLAN_PRIV_SET_FTIES,
+ IW_PRIV_TYPE_CHAR | MAX_FTIE_SIZE,
+ 0,
+ "set_ft_ies"},
};
const struct iw_handler_def we_handler_def = {
diff --git a/core/sme/src/common/sme_ft_api.c b/core/sme/src/common/sme_ft_api.c
index de4b656..f97b2e4 100644
--- a/core/sme/src/common/sme_ft_api.c
+++ b/core/sme/src/common/sme_ft_api.c
@@ -150,6 +150,7 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id,
switch (session->ftSmeContext.FTState) {
case eFT_START_READY:
case eFT_AUTH_REQ_READY:
+ sme_debug("ft_ies_length: %d", ft_ies_length);
if ((session->ftSmeContext.auth_ft_ies) &&
(session->ftSmeContext.auth_ft_ies_length)) {
/* Free the one we recvd last from supplicant */
@@ -157,6 +158,7 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id,
session->ftSmeContext.auth_ft_ies_length = 0;
session->ftSmeContext.auth_ft_ies = NULL;
}
+ ft_ies_length = QDF_MIN(ft_ies_length, MAX_FTIE_SIZE);
/* Save the FT IEs */
session->ftSmeContext.auth_ft_ies =
qdf_mem_malloc(ft_ies_length);
@@ -169,8 +171,6 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id,
qdf_mem_copy((uint8_t *)session->ftSmeContext.auth_ft_ies,
ft_ies, ft_ies_length);
session->ftSmeContext.FTState = eFT_AUTH_REQ_READY;
-
- sme_debug("ft_ies_length: %d", ft_ies_length);
break;
case eFT_AUTH_COMPLETE:
--
cgit v1.1