From 9c749db62c17eba85b26cd84985cbec0a85e41e9 Mon Sep 17 00:00:00 2001 From: Jeff Johnson Date: Mon, 7 May 2018 12:50:46 -0700 Subject: [PATCH] qcacld-3.0: Prevent overread of SSID in hdd_fill_pmksa_info() Currently when transferring SSID information from the nl80211 TLV to the internal data structure hdd_fill_pmksa_info() always copies SIR_MAC_MAX_SSID_LENGTH bytes which can overread the buffer. In order to prevent overread only copy as many bytes as the TLV contains. Note that the destination buffer passed to hdd_fill_pmksa_info() is always zero-filled so no additional zeroing of bytes is required. Change-Id: I1f6773b70e9e728d6b1ce93ca26417348e96844c CRs-Fixed: 2237462 --- core/hdd/src/wlan_hdd_cfg80211.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index 911951526c..61e563f6f0 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -20837,8 +20837,7 @@ static void hdd_fill_pmksa_info(tPmkidCacheInfo *pmk_cache, qdf_mem_copy(pmk_cache->BSSID.bytes, pmksa->bssid, QDF_MAC_ADDR_SIZE); } else { - qdf_mem_copy(pmk_cache->ssid, pmksa->ssid, - SIR_MAC_MAX_SSID_LENGTH); + qdf_mem_copy(pmk_cache->ssid, pmksa->ssid, pmksa->ssid_len); qdf_mem_copy(pmk_cache->cache_id, pmksa->cache_id, CACHE_ID_LEN); pmk_cache->ssid_len = pmksa->ssid_len;