Browse Source

qcacld-3.0: Fix integer Underflow in csr_update_fils_params_rso

Fix integer underflow in csr_update_fils_params_rso as this may
cause buffer overflow.

Change-Id: I25b31f5c0f207be09ac30d5f95911d3866d12d66
CRs-Fixed: 2204872
Arif Hussain 7 years ago
parent
commit
a216f678bf
1 changed files with 13 additions and 6 deletions
  1. 13 6
      core/sme/src/csr/csr_api_roam.c

+ 13 - 6
core/sme/src/csr/csr_api_roam.c

@@ -19161,6 +19161,7 @@ static void csr_update_fils_params_rso(tpAniSirGlobal mac,
 {
 	struct roam_fils_params *roam_fils_params;
 	struct cds_fils_connection_info *fils_info;
+	uint32_t usr_name_len;
 
 	if (!session->pCurRoamProfile)
 		return;
@@ -19182,13 +19183,19 @@ static void csr_update_fils_params_rso(tpAniSirGlobal mac,
 		return;
 	}
 
+	usr_name_len = copy_all_before_char(fils_info->keyname_nai,
+					    sizeof(fils_info->keyname_nai),
+					    roam_fils_params->username,
+					    sizeof(roam_fils_params->username),
+					    '@');
+	if (fils_info->key_nai_length <= usr_name_len) {
+		sme_err("Fils info len error: key nai len %d, user name len %d",
+			fils_info->key_nai_length, usr_name_len);
+		return;
+	}
+
+	roam_fils_params->username_length = usr_name_len;
 	req_buffer->is_fils_connection = true;
-	roam_fils_params->username_length =
-			copy_all_before_char(fils_info->keyname_nai,
-					     sizeof(fils_info->keyname_nai),
-					     roam_fils_params->username,
-					     sizeof(roam_fils_params->username),
-					     '@');
 
 	roam_fils_params->next_erp_seq_num =
 			(fils_info->sequence_number + 1);