瀏覽代碼

qca-wifi: Fix WEP sw encryption

24 bit IV is not considered part of the key resulted in buffer overflow.

Change-Id: I9642e719ca1535a76159412a329fc6ccf80c2eff
Nandha Kishore Easwaran 6 年之前
父節點
當前提交
1fdbc75a8c
共有 1 個文件被更改,包括 8 次插入1 次删除
  1. 8 1
      crypto/src/wlan_crypto_wep_sw.c

+ 8 - 1
crypto/src/wlan_crypto_wep_sw.c

@@ -63,7 +63,7 @@ void wlan_crypto_try_wep(const uint8_t *key, size_t key_len,
 
 uint8_t *wlan_crypto_wep_encrypt(const uint8_t *key, uint16_t key_len,
 					uint8_t *data, size_t data_len){
-	uint8_t k[16];
+	uint8_t k[WLAN_CRYPTO_KEY_WEP128_LEN + WLAN_CRYPTO_IV_LEN];
 	uint32_t icv;
 
 	if (data_len < 4 + 4) {
@@ -71,6 +71,13 @@ uint8_t *wlan_crypto_wep_encrypt(const uint8_t *key, uint16_t key_len,
 		return NULL;
 	}
 
+	if (!((key_len == WLAN_CRYPTO_KEY_WEP40_LEN) ||
+	    (key_len == WLAN_CRYPTO_KEY_WEP104_LEN) ||
+	    (key_len == WLAN_CRYPTO_KEY_WEP128_LEN))) {
+		crypto_err("invalid key len");
+		return NULL;
+	}
+
 	qdf_mem_copy(k, data, 3);
 	qdf_mem_copy(k + 3, key, key_len);
 	wlan_crypto_try_wep(k, 3 + key_len, data + 4, data_len - 4, &icv);