Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 48859186 authored by Ashish Kumar Dhanotiya's avatar Ashish Kumar Dhanotiya Committed by Gerrit - the friendly Code Review server
Browse files

wlan: Validate assoc response IE len before copy 

When host sends assoc response to supplicant, it
allocates a buffer of fixed size and copies a variable
length of assoc response IEs to this fixed sized buffer.
There is a possibility of OOB write to the allocated buffer
if the assoc response IEs length is greater than the
allocated buffer size.
To avoid above issue validate the assoc response IEs length
with the allocated buffer size before data copy to the buffer.

Change-ID: Ib12385e9ff04e5172ae8b505faf959e426fda439
CRs-Fixed: 2616226
parent 856c103e

CORE/HDD/src/wlan_hdd_assoc.c

+9 −2
Original line number Diff line number Diff line
@@ -2230,8 +2230,10 @@ static void hdd_SendReAssocEvent(struct net_device *dev, hdd_adapter_t *pAdapter 
        goto done;

    }



    if (pCsrRoamInfo->nAssocRspLength == 0) {

        hddLog(LOGE, "%s: Invalid assoc response length", __func__);

    if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) {



        hddLog(LOGE, "%s: Invalid assoc response length %d",

               __func__, pCsrRoamInfo->nAssocRspLength);

        goto done;

    }
@@ -2248,6 +2250,11 @@ static void hdd_SendReAssocEvent(struct net_device *dev, hdd_adapter_t *pAdapter 


    // Send the Assoc Resp, the supplicant needs this for initial Auth.

    len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;

    if (len > IW_GENERIC_IE_MAX) {

        hddLog(LOGE, "%s: Invalid assoc response length %d",

                __func__, pCsrRoamInfo->nAssocRspLength);

         goto done;

    }

    rspRsnLength = len;

    memcpy(rspRsnIe, pFTAssocRsp, len);

    memset(rspRsnIe + len, 0, IW_GENERIC_IE_MAX - len);