|
|
@@ -18678,12 +18678,25 @@ static int wlan_hdd_cfg80211_set_ie(struct hdd_adapter *adapter,
|
|
|
/* Setting WAPI Mode to ON=1 */
|
|
|
adapter->wapi_info.wapi_mode = 1;
|
|
|
hdd_debug("WAPI MODE IS %u", adapter->wapi_info.wapi_mode);
|
|
|
- tmp = (uint8_t *)ie;
|
|
|
- tmp = tmp + 4; /* Skip element Id and Len, Version */
|
|
|
+ /* genie is pointing to data field of WAPI IE's buffer */
|
|
|
+ tmp = (uint8_t *)genie;
|
|
|
+ /* Validate length for Version(2 bytes) and Number
|
|
|
+ * of AKM suite (2 bytes) in WAPI IE buffer, coming from
|
|
|
+ * supplicant*/
|
|
|
+ if (eLen < 4) {
|
|
|
+ hdd_err("Invalid IE Len: %u", eLen);
|
|
|
+ return -EINVAL;
|
|
|
+ }
|
|
|
+ tmp = tmp + 2; /* Skip Version */
|
|
|
/* Get the number of AKM suite */
|
|
|
akmsuiteCount = WPA_GET_LE16(tmp);
|
|
|
/* Skip the number of AKM suite */
|
|
|
tmp = tmp + 2;
|
|
|
+ /* Validate total length for WAPI IE's buffer */
|
|
|
+ if (eLen < (4 + (akmsuiteCount * sizeof(uint32_t)))) {
|
|
|
+ hdd_err("Invalid IE Len: %u", eLen);
|
|
|
+ return -EINVAL;
|
|
|
+ }
|
|
|
/* AKM suite list, each OUI contains 4 bytes */
|
|
|
akmlist = (uint32_t *)(tmp);
|
|
|
if (akmsuiteCount <= MAX_NUM_AKM_SUITES) {
|
Abhinav Kumar