Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 186f0ba1 authored by Ashish Kumar Dhanotiya's avatar Ashish Kumar Dhanotiya Committed by Gerrit - the friendly Code Review server
Browse files

wlan: Validate assoc response IE len before copy 

When host sends ft assoc response to supplicant, it
allocates a buffer of fixed size and copies a variable
length of assoc response IEs to this fixed sized buffer.
There is a possibility of OOB write to the allocated buffer
if the assoc response IEs length is greater than the
allocated buffer size.
To avoid above issue validate the assoc response IEs length
with the allocated buffer size before data copy to the buffer.

Change-ID: Ife9c2071a8cc4a2918b9f349f4024478f94b2d78
CRs-Fixed: 2616225
parent 48859186

CORE/HDD/src/wlan_hdd_assoc.c

+12 −5
Original line number Diff line number Diff line
@@ -951,10 +951,10 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap 
    unsigned int len = 0;

    u8 *pFTAssocRsp = NULL;



    if (pCsrRoamInfo->nAssocRspLength == 0)

    if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET)

    {

        hddLog(LOGE,

            "%s: pCsrRoamInfo->nAssocRspLength=%d",

            "%s: Invalid assoc rsp length %d",

            __func__, (int)pCsrRoamInfo->nAssocRspLength);

        return;

    }
@@ -973,6 +973,16 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap 
        (unsigned int)pFTAssocRsp[0],

        (unsigned int)pFTAssocRsp[1]);



    /* Send the Assoc Resp, the supplicant needs this for initial Auth. */

    len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;

    if (len > IW_GENERIC_IE_MAX) {

        hddLog(LOGE,

             "%s: Invalid assoc rsp length %d",

             __func__, (int)pCsrRoamInfo->nAssocRspLength);

        return;

    }

    wrqu.data.length = len;



    // We need to send the IEs to the supplicant.

    buff = kmalloc(IW_GENERIC_IE_MAX, GFP_ATOMIC);

    if (buff == NULL)
@@ -981,9 +991,6 @@ static void hdd_SendFTAssocResponse(struct net_device *dev, hdd_adapter_t *pAdap 
        return;

    }



    // Send the Assoc Resp, the supplicant needs this for initial Auth.

    len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;

    wrqu.data.length = len;

    memset(buff, 0, IW_GENERIC_IE_MAX);

    memcpy(buff, pFTAssocRsp, len);

    wireless_send_event(dev, IWEVASSOCRESPIE, &wrqu, buff);