From 62d9899e8cd5aee9f1360b9549e52403eb6aeb65 Mon Sep 17 00:00:00 2001 From: Vignesh Viswanathan Date: Thu, 30 Nov 2017 12:30:37 +0530 Subject: [PATCH] qcacld-3.0: Fix potential buffer over-read during FILS Association In function wlan_hdd_send_roam_auth_event, FILS kek is copied to skb for the vendor command QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_PTK_KEK for kek_len length. There is no validation for the max value of kek_len and would lead to an buffer over-read if kek_len exceeds SIR_KEK_KEY_LEN_FILS. Add sanity check for kek_len for max limit SIR_KEK_KEY_LEN_FILS before copying the kek to skb. Change-Id: I4290909cd2df8686a32d25aa14711db2b899b2eb CRs-Fixed: 2152985 --- core/hdd/src/wlan_hdd_cfg80211.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c index 70e54f98d6..19b6bc65e2 100644 --- a/core/hdd/src/wlan_hdd_cfg80211.c +++ b/core/hdd/src/wlan_hdd_cfg80211.c @@ -5736,13 +5736,15 @@ int wlan_hdd_send_roam_auth_event(struct hdd_adapter *adapter, uint8_t *bssid, hdd_err("failed to send replay counter"); goto nla_put_failure; } - if (nla_put(skb, + if (roam_info_ptr->kek_len > SIR_KEK_KEY_LEN_FILS || + nla_put(skb, QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_PTK_KCK, SIR_KCK_KEY_LEN, roam_info_ptr->kck) || nla_put(skb, QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_PTK_KEK, roam_info_ptr->kek_len, roam_info_ptr->kek)) { - hdd_err("nla put fail"); + hdd_err("nla put fail, kek_len %d", + roam_info_ptr->kek_len); goto nla_put_failure; }