mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-10-01 01:35:54 -04:00
42 lines
1.3 KiB
Diff
42 lines
1.3 KiB
Diff
From 4e44b25b26a594aa8180827729d2b298c894fc5d Mon Sep 17 00:00:00 2001
|
|
From: Nishank Aggarwal <naggar@codeaurora.org>
|
|
Date: Mon, 30 Jan 2017 15:32:32 +0530
|
|
Subject: qcacld-3.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
|
|
|
|
qcacld-2.0 to qcacld-3.0 propagation
|
|
|
|
Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
|
|
is user-controllable and never validates which uses as the length
|
|
for a memory copy. This enables user-space applications to corrupt
|
|
heap memory and potentially crash the kernel.
|
|
|
|
Fix is to validate the WPARSNIes length to its max before use as the
|
|
length for a memory copy.
|
|
|
|
Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
|
|
CRs-Fixed: 1102648
|
|
---
|
|
core/hdd/src/wlan_hdd_hostapd.c | 6 ++++++
|
|
1 file changed, 6 insertions(+)
|
|
|
|
diff --git a/core/hdd/src/wlan_hdd_hostapd.c b/core/hdd/src/wlan_hdd_hostapd.c
|
|
index c01d6a6..78c9df6 100644
|
|
--- a/core/hdd/src/wlan_hdd_hostapd.c
|
|
+++ b/core/hdd/src/wlan_hdd_hostapd.c
|
|
@@ -4979,6 +4979,12 @@ static int __iw_set_ap_genie(struct net_device *dev,
|
|
return 0;
|
|
}
|
|
|
|
+ if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
|
|
+ hdd_err("%s: WPARSN Ie input length is more than max[%d]",
|
|
+ __func__, wrqu->data.length);
|
|
+ return QDF_STATUS_E_INVAL;
|
|
+ }
|
|
+
|
|
switch (genie[0]) {
|
|
case DOT11F_EID_WPA:
|
|
case DOT11F_EID_RSN:
|
|
--
|
|
cgit v1.1
|
|
|