qcacmn: Fix OOB in send_gtk_offload_cmd_tlv

In current design, Host driver copies kck and kek from pmo_gtk_req to kck and kek of WMI_GTK_OFFLOAD_CMD_fixed_param. Host tries to copy PMO_KCK_LEN i.e 32 bytes to an array of length 16 bytes which can lead to OOB. Fix is to copy only 16 bytes of kck and kek. Copy the bytes from pmo_gtk_req same as the size of cmd->kck and cmd->kek i.e destination array size to avoid OOB. Change-Id: I999add18e18bedc9cfa1a0cfa5c0dad781e8e13f CRs-Fixed: 2470368
2019-06-17 17:35:51 +05:30
parent a6c047026d
commit 0c6cd801dc
1 changed files with 2 additions and 2 deletions
--- a/wmi/src/wmi_unified_pmo_tlv.c
+++ b/wmi/src/wmi_unified_pmo_tlv.c
@@ -808,8 +808,8 @@ QDF_STATUS send_gtk_offload_cmd_tlv(wmi_unified_t wmi_handle, uint8_t vdev_id,
 		cmd->flags = gtk_offload_opcode;

 		/* Copy the keys and replay counter */
-		qdf_mem_copy(cmd->KCK, params->kck, PMO_KCK_LEN);
-		qdf_mem_copy(cmd->KEK, params->kek, PMO_KEK_LEN_LEGACY);
+		qdf_mem_copy(cmd->KCK, params->kck, sizeof(cmd->KCK));
+		qdf_mem_copy(cmd->KEK, params->kek, sizeof(cmd->KEK));
 		qdf_mem_copy(cmd->replay_counter, &params->replay_counter,
 			     GTK_REPLAY_COUNTER_BYTES);
 	} else {