Página inicial Explorar Ajuda
Entrar
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Arquivos Issues 0 Pull Requests 0 Wiki
Ver código fonte

qcacld-3.0: Fix suspicious dereference of pointer

Add proper NULL check before dereferencing pointer,
also add check to validate length of buffer before
copy data.

Change-Id: I41d4dd2119b4525ab1b5b43d44a2d872129a3c31
CRs-Fixed: 2043356
Abhishek Singh 8 anos atrás
pai
f86f90520d
commit
e4b6b4ede2
2 arquivos alterados com 14 adições e 7 exclusões
Visão dividida Mostrar estatísticas do Diff
  1. 11 6
      core/mac/src/pe/lim/lim_process_fils.c
  2. 3 1
      core/mac/src/pe/lim/lim_utils.c

+ 11 - 6
core/mac/src/pe/lim/lim_process_fils.c
Ver arquivo 

@@ -531,14 +531,17 @@ static void lim_get_keys(tpPESession pe_session)
 
 	struct pe_fils_session *fils_info = pe_session->fils_info;
 
 	uint8_t key_data[MAX_ICK_LEN + MAX_KEK_LEN + MAX_TK_LEN] = {0};
 
 	uint8_t key_data_len;
 
-	uint8_t ick_len = lim_get_ick_len(fils_info->akm);
 
-	uint8_t kek_len = lim_get_kek_len(fils_info->akm);
 
+	uint8_t ick_len;
 
+	uint8_t kek_len;
 
 	uint8_t tk_len = lim_get_tk_len(pe_session->encryptType);
 
 	uint8_t *buf;
 
 
 	if (!fils_info)
 
 		return;
 
 
+	ick_len = lim_get_ick_len(fils_info->akm);
 
+	kek_len = lim_get_kek_len(fils_info->akm);
 
+
 
 	key_data_len = ick_len + kek_len + tk_len;
 
 
 	data_len = 2 * SIR_FILS_NONCE_LENGTH + 2 * QDF_MAC_ADDR_SIZE;
 
@@ -703,7 +706,7 @@ static QDF_STATUS lim_process_auth_wrapped_data(tpPESession pe_session,
 
 	uint8_t type;
 
 	unsigned long flags;
 
 	struct pe_fils_session *fils_info;
 
-	uint8_t hash[32], crypto;
 
+	uint8_t hash[32] = {0}, crypto;
 
 	uint32_t remaining_len = data_len, new_len;
 
 	uint8_t *input_data[1];
 
 	uint32_t input_len[1];
 
@@ -1156,9 +1159,11 @@ void lim_update_fils_config(tpPESession session,
 
 		qdf_mem_free(csr_fils_info->keyname_nai_data);
 
 		return;
 
 	}
 
-	qdf_mem_copy(csr_fils_info->fils_r_rk,
 
-			fils_config_info->r_rk,
 
-			fils_config_info->r_rk_length);
 
+
 
+	if (fils_config_info->r_rk_length <= FILS_MAX_RRK_LENGTH)
 
+		qdf_mem_copy(csr_fils_info->fils_r_rk,
 
+				fils_config_info->r_rk,
 
+				fils_config_info->r_rk_length);
 
 
 	qdf_mem_copy(csr_fils_info->fils_pmkid,
 
 			fils_config_info->pmkid, PMKID_LEN);

+ 3 - 1
core/mac/src/pe/lim/lim_utils.c
Ver arquivo 

@@ -8056,13 +8056,15 @@ bool lim_check_if_vendor_oui_match(tpAniSirGlobal mac_ctx,
 
 			       uint8_t *ie, uint8_t ie_len)
 
 {
 
 	uint8_t *ptr = ie;
 
-	uint8_t elem_id = *ie;
 
+	uint8_t elem_id;
 
 
 	if (NULL == ie || 0 == ie_len) {
 
 		pe_err("IE Null or ie len zero %d", ie_len);
 
 		return false;
 
 	}
 
 
+	elem_id = *ie;
 
+
 
 	if (elem_id == IE_EID_VENDOR &&
 
 		!qdf_mem_cmp(&ptr[2], oui, oui_len))
 
 		return true;