samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Add sanity check for kek_len and pmk_len in WMA roam synch

Browse Source 
In wma_fill_roam_synch_buffer, fils_info is received from the FW
as part of roam synch event and contains kek_len and pmk_len. These
lengths are used to copy the kek and pmk from the FW buffer to the
roam_synch_ind_ptr respectively.

If the kek_len exceeds the SIR_KEK_KEY_LEN_FILS or pmk_len exceeds
the SIR_PMK_LEN value, a buffer overwrite would occur during
memcpy.

Add sanity check to return error if kek_len exceeds SIR_KEK_KEY_LEN_FILS
or if pmk_len exceeds SIR_PMK_LEN.

Change-Id: I8035c54cb4cbd5b4065646377f7d1d2824f9c436
CRs-Fixed: 2226386
This commit is contained in:
Vignesh Viswanathan
2018-04-20 12:51:24 +05:30
committed by Gerrit - the friendly Code Review server
parent a36e9eb084
commit 686833aedd
1 changed files with 10 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
core/wma/src/wma_scan_roam.c
View File

@@ -2091,7 +2091,16 @@ static int wma_fill_roam_synch_buffer(tp_wma_handle wma,
fils_info = (wmi_roam_fils_synch_tlv_param *) fils_info = (wmi_roam_fils_synch_tlv_param *)
(param_buf->roam_fils_synch_info); (param_buf->roam_fils_synch_info);
if (param_buf->roam_fils_synch_info) { if (fils_info) {
if ((fils_info->kek_len > SIR_KEK_KEY_LEN_FILS) ||
(fils_info->pmk_len > SIR_PMK_LEN)) {
WMA_LOGE("%s: Invalid kek_len %d or pmk_len %d",
__func__,
fils_info->kek_len,
fils_info->pmk_len);
return -EINVAL;
}
roam_synch_ind_ptr->kek_len = fils_info->kek_len; roam_synch_ind_ptr->kek_len = fils_info->kek_len;
qdf_mem_copy(roam_synch_ind_ptr->kek, fils_info->kek, qdf_mem_copy(roam_synch_ind_ptr->kek, fils_info->kek,
fils_info->kek_len); fils_info->kek_len);