DivestOS/Patches/Linux_CVEs/CVE-2017-6424/qcacld-2.0/0002.patch
2017-11-07 21:38:42 -05:00

41 lines
1.3 KiB
Diff

From 5cc2ac840e36a3342c5194c20b314f0bb95ef7e1 Mon Sep 17 00:00:00 2001
From: Nishank Aggarwal <naggar@codeaurora.org>
Date: Thu, 12 Jan 2017 14:32:02 +0530
Subject: qcacld-2.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
is user-controllable and never validates which uses as the length
for a memory copy. This enables user-space applications to corrupt
heap memory and potentially crash the kernel.
Fix is to validate the WPARSNIes length to its max before use as the
length for a memory copy.
Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
CRs-Fixed: 1102648
---
CORE/HDD/src/wlan_hdd_hostapd.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
index 693c0c9..59b32f2 100644
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -6099,6 +6099,13 @@ static int __iw_set_ap_genie(struct net_device *dev,
return 0;
}
+ if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
+ VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+ "%s: WPARSN Ie input length is more than max[%d]", __func__,
+ wrqu->data.length);
+ return -EINVAL;
+ }
+
switch (genie[0])
{
case DOT11F_EID_WPA:
--
cgit v1.1