samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix suspicious dereference of pointer

Browse Source 
Add proper NULL check before dereferencing pointer,
also add check to validate length of buffer before
copy data.

Change-Id: I41d4dd2119b4525ab1b5b43d44a2d872129a3c31
CRs-Fixed: 2043356
This commit is contained in:
Abhishek Singh
2017-05-05 19:00:17 +05:30
committed by snandini
parent f86f90520d
commit e4b6b4ede2
2 changed files with 14 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
core/mac/src/pe/lim/lim_process_fils.c
View File

@@ -531,14 +531,17 @@ static void lim_get_keys(tpPESession pe_session)
struct pe_fils_session *fils_info = pe_session->fils_info;
uint8_t key_data[MAX_ICK_LEN + MAX_KEK_LEN + MAX_TK_LEN] = {0};
uint8_t key_data_len;
uint8_t ick_len = lim_get_ick_len(fils_info->akm);
uint8_t kek_len = lim_get_kek_len(fils_info->akm);
uint8_t ick_len;
uint8_t kek_len;
uint8_t tk_len = lim_get_tk_len(pe_session->encryptType);
uint8_t *buf;
if (!fils_info)
return;
ick_len = lim_get_ick_len(fils_info->akm);
kek_len = lim_get_kek_len(fils_info->akm);
key_data_len = ick_len + kek_len + tk_len;
data_len = 2 * SIR_FILS_NONCE_LENGTH + 2 * QDF_MAC_ADDR_SIZE;
@@ -703,7 +706,7 @@ static QDF_STATUS lim_process_auth_wrapped_data(tpPESession pe_session,
uint8_t type;
unsigned long flags;
struct pe_fils_session *fils_info;
uint8_t hash[32], crypto;
uint8_t hash[32] = {0}, crypto;
uint32_t remaining_len = data_len, new_len;
uint8_t *input_data[1];
uint32_t input_len[1];
@@ -1156,9 +1159,11 @@ void lim_update_fils_config(tpPESession session,
qdf_mem_free(csr_fils_info->keyname_nai_data);
return;
}
qdf_mem_copy(csr_fils_info->fils_r_rk,
fils_config_info->r_rk,
fils_config_info->r_rk_length);
if (fils_config_info->r_rk_length <= FILS_MAX_RRK_LENGTH)
qdf_mem_copy(csr_fils_info->fils_r_rk,
fils_config_info->r_rk,
fils_config_info->r_rk_length);
qdf_mem_copy(csr_fils_info->fils_pmkid,
fils_config_info->pmkid, PMKID_LEN);

4
core/mac/src/pe/lim/lim_utils.c
View File

@@ -8056,13 +8056,15 @@ bool lim_check_if_vendor_oui_match(tpAniSirGlobal mac_ctx,
uint8_t *ie, uint8_t ie_len)
{
uint8_t *ptr = ie;
uint8_t elem_id = *ie;
uint8_t elem_id;
if (NULL == ie || 0 == ie_len) {
pe_err("IE Null or ie len zero %d", ie_len);
return false;
}
elem_id = *ie;
if (elem_id == IE_EID_VENDOR &&
!qdf_mem_cmp(&ptr[2], oui, oui_len))
return true;