Home Verkennen Help
Inloggen
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Bladeren bron

qcacmn: Fix OOB issue in wlan_parse_rsn_ie

Issue: Currently, host doesn't validate pkid_count
before populating data in rsn->pmkid. rsn->pmkid array
can store only 4/MAX_PMKID pmkids which may cause OOB
write if host tries to copy pmkids more than MAX_PMKID.

Fix: validate pkid_count before populating rsn->pmkid
and return Failure in case pkid_count becomes greater
than MAX_PMKID to avoid OOB.

Change-Id: I211ea791a52ecb84872d139929f999a89db240d5
CRs-Fixed: 2724407
sheenam monga 5 jaren geleden
bovenliggende
4b9b060974
commit
fe1e85068c
1 gewijzigde bestanden met toevoegingen van 2 en 1 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 2 1
      umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h

+ 2 - 1
umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
Bestand weergeven 

@@ -1666,7 +1666,8 @@ static inline QDF_STATUS wlan_parse_rsn_ie(uint8_t *rsn_ie,
 
 		rsn->pmkid_count = LE_READ_2(ie);
 
 		ie += 2;
 
 		rem_len -= 2;
 
-		if (rsn->pmkid_count > (unsigned int) rem_len / PMKID_LEN) {
 
+		if (rsn->pmkid_count > MAX_PMKID ||
 
+		    rsn->pmkid_count > (unsigned int)rem_len / PMKID_LEN) {
 
 			rsn->pmkid_count = 0;
 
 			return QDF_STATUS_E_INVAL;
 
 		}