qcacld-3.0: Add sanity check for kek_len and pmk_len in WMA roam synch
In wma_fill_roam_synch_buffer, fils_info is received from the FW as part of roam synch event and contains kek_len and pmk_len. These lengths are used to copy the kek and pmk from the FW buffer to the roam_synch_ind_ptr respectively. If the kek_len exceeds the SIR_KEK_KEY_LEN_FILS or pmk_len exceeds the SIR_PMK_LEN value, a buffer overwrite would occur during memcpy. Add sanity check to return error if kek_len exceeds SIR_KEK_KEY_LEN_FILS or if pmk_len exceeds SIR_PMK_LEN. Change-Id: I8035c54cb4cbd5b4065646377f7d1d2824f9c436 CRs-Fixed: 2226386
This commit is contained in:
Vignesh Viswanathan
committed by
Gerrit - the friendly Code Review server
Gerrit - the friendly Code Review server
parent
a36e9eb084
commit
686833aedd
@@ -2091,7 +2091,16 @@ static int wma_fill_roam_synch_buffer(tp_wma_handle wma,
|
||||
|
||||
fils_info = (wmi_roam_fils_synch_tlv_param *)
|
||||
(param_buf->roam_fils_synch_info);
|
||||
if (param_buf->roam_fils_synch_info) {
|
||||
if (fils_info) {
|
||||
if ((fils_info->kek_len > SIR_KEK_KEY_LEN_FILS) ||
|
||||
(fils_info->pmk_len > SIR_PMK_LEN)) {
|
||||
WMA_LOGE("%s: Invalid kek_len %d or pmk_len %d",
|
||||
__func__,
|
||||
fils_info->kek_len,
|
||||
fils_info->pmk_len);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
roam_synch_ind_ptr->kek_len = fils_info->kek_len;
|
||||
qdf_mem_copy(roam_synch_ind_ptr->kek, fils_info->kek,
|
||||
fils_info->kek_len);
|
||||
|
||||
Reference in New Issue
Block a user