From 686833aedd752bf1a035c86872eff8b3ba76d8d8 Mon Sep 17 00:00:00 2001 From: Vignesh Viswanathan Date: Fri, 20 Apr 2018 12:51:24 +0530 Subject: [PATCH] qcacld-3.0: Add sanity check for kek_len and pmk_len in WMA roam synch In wma_fill_roam_synch_buffer, fils_info is received from the FW as part of roam synch event and contains kek_len and pmk_len. These lengths are used to copy the kek and pmk from the FW buffer to the roam_synch_ind_ptr respectively. If the kek_len exceeds the SIR_KEK_KEY_LEN_FILS or pmk_len exceeds the SIR_PMK_LEN value, a buffer overwrite would occur during memcpy. Add sanity check to return error if kek_len exceeds SIR_KEK_KEY_LEN_FILS or if pmk_len exceeds SIR_PMK_LEN. Change-Id: I8035c54cb4cbd5b4065646377f7d1d2824f9c436 CRs-Fixed: 2226386 --- core/wma/src/wma_scan_roam.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/core/wma/src/wma_scan_roam.c b/core/wma/src/wma_scan_roam.c index e2c36efd6f..012cff4800 100644 --- a/core/wma/src/wma_scan_roam.c +++ b/core/wma/src/wma_scan_roam.c @@ -2091,7 +2091,16 @@ static int wma_fill_roam_synch_buffer(tp_wma_handle wma, fils_info = (wmi_roam_fils_synch_tlv_param *) (param_buf->roam_fils_synch_info); - if (param_buf->roam_fils_synch_info) { + if (fils_info) { + if ((fils_info->kek_len > SIR_KEK_KEY_LEN_FILS) || + (fils_info->pmk_len > SIR_PMK_LEN)) { + WMA_LOGE("%s: Invalid kek_len %d or pmk_len %d", + __func__, + fils_info->kek_len, + fils_info->pmk_len); + return -EINVAL; + } + roam_synch_ind_ptr->kek_len = fils_info->kek_len; qdf_mem_copy(roam_synch_ind_ptr->kek, fils_info->kek, fils_info->kek_len);