Sfoglia il codice sorgente

qcacld-3.0: Add SSID length boundary check while processing vendor scan request

While extracting SSID from nl attributes, Currently there is
no boundary check for max and min length. Hence host causes
buffer overflow.

As a part of this fix, Add ssid array boundary check to avoid
buffer overflow.

CRs-Fixed: 1069298
Change-Id: I395be358f7bf3f23bb9453d1ed6c3dc9025f4aab
SaidiReddy Yenuga 8 anni fa
parent
commit
89c58d2137
1 ha cambiato i file con 6 aggiunte e 0 eliminazioni
  1. 6 0
      core/hdd/src/wlan_hdd_scan.c

+ 6 - 0
core/hdd/src/wlan_hdd_scan.c

@@ -2012,6 +2012,12 @@ static int __wlan_hdd_cfg80211_vendor_scan(struct wiphy *wiphy,
 		nla_for_each_nested(attr, tb[QCA_WLAN_VENDOR_ATTR_SCAN_SSIDS],
 				tmp) {
 			request->ssids[count].ssid_len = nla_len(attr);
+			if (request->ssids[count].ssid_len >
+				SIR_MAC_MAX_SSID_LENGTH) {
+				hdd_err("SSID Len %d is not correct for network %d",
+					 request->ssids[count].ssid_len, count);
+				goto error;
+			}
 			memcpy(request->ssids[count].ssid, nla_data(attr),
 					nla_len(attr));
 			count++;