qcacld-3.0: Sanitize fils_erp_rrk_len before doing memcpy
Currently, the hdd_update_connect_params_fils_info() function blindly trusts the size and copies into the fils_info->r_rk buffer, putting it at risk of buffer overflow. Add a check to make sure the buffer passed in to be copied to fils_info->r_rk is of the proper length. Change-Id: I9ad2405ca1acd83591bea2aa43406909ad1c58e4 CRs-Fixed: 2580776
This commit is contained in:

committad av
nshrivas

förälder
b1e993f96a
incheckning
dc26e04062
@@ -23316,6 +23316,11 @@ hdd_update_connect_params_fils_info(struct hdd_adapter *adapter,
|
||||
fils_info->sequence_number = req->fils_erp_next_seq_num + 1;
|
||||
fils_info->r_rk_length = req->fils_erp_rrk_len;
|
||||
|
||||
if (fils_info->r_rk_length > FILS_MAX_RRK_LENGTH) {
|
||||
hdd_err("r_rk_length is invalid");
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (req->fils_erp_rrk_len && req->fils_erp_rrk)
|
||||
qdf_mem_copy(fils_info->r_rk, req->fils_erp_rrk,
|
||||
fils_info->r_rk_length);
|
||||
|
Referens i nytt ärende
Block a user