瀏覽代碼

qcacmn: Fix OOB in send_gtk_offload_cmd_tlv

In current design, Host driver copies kck and kek from pmo_gtk_req
to kck and kek of WMI_GTK_OFFLOAD_CMD_fixed_param. Host tries
to copy PMO_KCK_LEN i.e 32 bytes to an array of length 16 bytes
which can lead to OOB.

Fix is to copy only 16 bytes of kck and kek. Copy the bytes
from pmo_gtk_req same as the size of cmd->kck and cmd->kek i.e
destination array size to avoid OOB.

Change-Id: I999add18e18bedc9cfa1a0cfa5c0dad781e8e13f
CRs-Fixed: 2470368
sheenam monga 5 年之前
父節點
當前提交
0c6cd801dc
共有 1 個文件被更改,包括 2 次插入2 次删除
  1. 2 2
      wmi/src/wmi_unified_pmo_tlv.c

+ 2 - 2
wmi/src/wmi_unified_pmo_tlv.c

@@ -808,8 +808,8 @@ QDF_STATUS send_gtk_offload_cmd_tlv(wmi_unified_t wmi_handle, uint8_t vdev_id,
 		cmd->flags = gtk_offload_opcode;
 
 		/* Copy the keys and replay counter */
-		qdf_mem_copy(cmd->KCK, params->kck, PMO_KCK_LEN);
-		qdf_mem_copy(cmd->KEK, params->kek, PMO_KEK_LEN_LEGACY);
+		qdf_mem_copy(cmd->KCK, params->kck, sizeof(cmd->KCK));
+		qdf_mem_copy(cmd->KEK, params->kek, sizeof(cmd->KEK));
 		qdf_mem_copy(cmd->replay_counter, &params->replay_counter,
 			     GTK_REPLAY_COUNTER_BYTES);
 	} else {