From 87baef651fcb908b334c0034e98adde90be848b0 Mon Sep 17 00:00:00 2001 From: Ashish Kumar Dhanotiya Date: Mon, 23 Dec 2019 15:31:06 +0530 Subject: [PATCH] qcacld-3.0: Validate assoc response IE len before copy When host sends assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Change-ID: Ib12385e9ff04e5172ae8b505faf959e426fda439 CRs-Fixed: 2583124 --- core/hdd/src/wlan_hdd_assoc.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/core/hdd/src/wlan_hdd_assoc.c b/core/hdd/src/wlan_hdd_assoc.c index f4fadd21b3..b872ffa629 100644 --- a/core/hdd/src/wlan_hdd_assoc.c +++ b/core/hdd/src/wlan_hdd_assoc.c @@ -2332,8 +2332,9 @@ static void hdd_send_re_assoc_event(struct net_device *dev, goto done; } - if (roam_info->nAssocRspLength == 0) { - hdd_err("Assoc rsp length is 0"); + if (roam_info->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) { + hdd_err("Invalid assoc rsp length %d", + roam_info->nAssocRspLength); goto done; } @@ -2363,6 +2364,10 @@ static void hdd_send_re_assoc_event(struct net_device *dev, /* Send the Assoc Resp, the supplicant needs this for initial Auth */ len = roam_info->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; + if (len > IW_GENERIC_IE_MAX) { + hdd_err("Invalid Assoc resp length %d", len); + goto done; + } rsp_rsn_lemgth = len; qdf_mem_copy(rsp_rsn_ie, assoc_rsp, len); qdf_mem_zero(rsp_rsn_ie + len, IW_GENERIC_IE_MAX - len);