qcacmn: Fix OOB issue in wlan_parse_rsn_ie
Issue: Currently, host doesn't validate pkid_count before populating data in rsn->pmkid. rsn->pmkid array can store only 4/MAX_PMKID pmkids which may cause OOB write if host tries to copy pmkids more than MAX_PMKID. Fix: validate pkid_count before populating rsn->pmkid and return Failure in case pkid_count becomes greater than MAX_PMKID to avoid OOB. Change-Id: I211ea791a52ecb84872d139929f999a89db240d5 CRs-Fixed: 2724407
This commit is contained in:
sheenam monga
committed by
nshrivas
nshrivas
vanhempi
4b9b060974
commit
fe1e85068c
@@ -1666,7 +1666,8 @@ static inline QDF_STATUS wlan_parse_rsn_ie(uint8_t *rsn_ie,
|
||||
rsn->pmkid_count = LE_READ_2(ie);
|
||||
ie += 2;
|
||||
rem_len -= 2;
|
||||
if (rsn->pmkid_count > (unsigned int) rem_len / PMKID_LEN) {
|
||||
if (rsn->pmkid_count > MAX_PMKID ||
|
||||
rsn->pmkid_count > (unsigned int)rem_len / PMKID_LEN) {
|
||||
rsn->pmkid_count = 0;
|
||||
return QDF_STATUS_E_INVAL;
|
||||
}
|
||||
|
||||
Viittaa uudesa ongelmassa
Block a user