samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Avoid potential buffer over-flow in cfg80211 scan

Browse Source 
In __wlan_hdd_cfg80211_scan(), while copying ie data from
cfg80211_scan_request to local destination buffer, there is no check of
ie_len against maximum possible length of SIR_MAC_MAX_ADD_IE_LENGTH (2048).
This can result in buffer over-flow.

To address this, validate ie_len in cfg80211_scan_request.

Change-Id: I5da837395869704666762fdf57293d9561d3ad83
CRs-Fixed: 2247604
This commit is contained in:
Rajeev Kumar Sirasanagandla
2018-06-12 20:09:14 +05:30
committed by nshrivas
parent 921a02229a
commit 4192d988f0
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
core/hdd/src/wlan_hdd_scan.c
View File

@@ -575,6 +575,11 @@ static int __wlan_hdd_cfg80211_scan(struct wiphy *wiphy,
params.default_ie.len = 0;
/* Store the Scan IE's in Adapter*/
if (request->ie_len) {
if (request->ie_len > SIR_MAC_MAX_ADD_IE_LENGTH) {
hdd_debug("Invalid ie_len: %zu", request->ie_len);
return -EINVAL;
}
/* save this for future association (join requires this) */
memset(&scan_info->scan_add_ie, 0, sizeof(scan_info->scan_add_ie));
memcpy(scan_info->scan_add_ie.addIEdata, request->ie,