Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Corrections in buffer length checks in set_fils_config

In wlan_hdd_cfg80211_set_fils_config, incoming fils configs
are copied into local buffers. Buffer allocations happen with
internal length definitions, while lengths are checked against
definitions from WMI API's. This may cause a buffer overwrite
for fils erp realm buffer.

Use the same definitions for length checks that are used for
allocations.

Change-Id: Ie26bb1fdec9b12b429cb74dd290c155deb6c32f8
CRs-Fixed: 2137834
Nachiket Kukade 7 years ago
parent
1fe30a8ff3
commit
1be92caa6c
1 changed files with 3 additions and 3 deletions
Split View Show Diff Stats
  1. 3 3
      core/hdd/src/wlan_hdd_cfg80211.c

+ 3 - 3
core/hdd/src/wlan_hdd_cfg80211.c
View File 

@@ -16208,9 +16208,9 @@ static int wlan_hdd_cfg80211_set_fils_config(struct hdd_adapter *adapter,
 
 		req->fils_erp_next_seq_num, req->auth_type,
 
 		req->fils_erp_username_len, req->fils_erp_rrk_len,
 
 		req->fils_erp_realm_len);
 
-	if (req->fils_erp_rrk_len > WMI_FILS_MAX_RRK_LENGTH ||
 
-		req->fils_erp_realm_len > WMI_FILS_MAX_REALM_LENGTH ||
 
-		req->fils_erp_username_len > WMI_FILS_MAX_USERNAME_LENGTH) {
 
+	if (req->fils_erp_rrk_len > FILS_MAX_RRK_LENGTH ||
 
+		req->fils_erp_realm_len > FILS_MAX_REALM_LEN ||
 
+		req->fils_erp_username_len > FILS_MAX_KEYNAME_NAI_LENGTH) {
 
 		hdd_err("FILS info length limit exceeded");
 
 		goto fils_conn_fail;
 
 	}