diff options
author | tinlin <tinlin@codeaurora.org> | 2018-06-25 19:34:14 +0800 |
---|---|---|
committer | Shirle Yuen <shirleyshukyee@google.com> | 2018-07-30 10:47:43 -0700 |
commit | fcf5683dd9a4c57c569a0c2f54d9e9d35d1eaa12 (patch) | |
tree | 2a904922a08612e0282682fbe7e2b50cce0db107 | |
parent | 0276896d25672900ae8d7511bbcbc05acf64ba72 (diff) | |
download | qcom-msm8x09-v3.10-fcf5683dd9a4c57c569a0c2f54d9e9d35d1eaa12.tar.gz |
qcacld-2.0: Validate wpa ie length before extracting ie
propagation from qcacld-3.0 to qcacld-2.0
During initializing ibss security settings there is a possibility
of integer underflow while extracting wpa ie because of ie length
check miss.
Add wpa ie length boundary check before extracting wpa ie.
Change-Id: I37d8ee5ea1e1ba12277128a1407783f5647251b6
CRs-Fixed: 2203077
Bug: 72679324
Bug: 111289931
(cherry picked from commit 70b178b306686fceae48be894c072be6c37a72f3)
-rw-r--r-- | drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c index a93a2661b1d..85e07fcda47 100644 --- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -24477,6 +24477,12 @@ static int wlan_hdd_cfg80211_set_privacy_ibss( if (NULL != ie) { pWextState->wpaVersion = IW_AUTH_WPA_VERSION_WPA; + if (ie[1] < DOT11F_IE_WPA_MIN_LEN || + ie[1] > DOT11F_IE_WPA_MAX_LEN) { + hddLog(VOS_TRACE_LEVEL_ERROR, FL("invalid ie len:%d"), + ie[1]); + return -EINVAL; + } // Unpack the WPA IE //Skip past the EID byte and length byte - and four byte WiFi OUI dot11fUnpackIeWPA((tpAniSirGlobal) halHandle, |