Commit ca71f8bf authored Jul 08, 2020 by sheenam monga Committed by Gerrit - the friendly Code Review server Jul 28, 2020

qcacmn: Fix OOB issue in wlan_parse_rsn_ie

Issue: Currently, host doesn't validate pkid_count
before populating data in rsn->pmkid. rsn->pmkid array
can store only 4/MAX_PMKID pmkids which may cause OOB
write if host tries to copy pmkids more than MAX_PMKID.

Fix: validate pkid_count before populating rsn->pmkid
and return Failure in case pkid_count becomes greater
than MAX_PMKID to avoid OOB.

Change-Id: I211ea791a52ecb84872d139929f999a89db240d5
CRs-Fixed: 2724407

parent 1dbf76de

umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h

+2 −1

Original line number	Original line	Diff line number	Diff line
	@@ -1649,7 +1649,8 @@ static inline QDF_STATUS wlan_parse_rsn_ie(uint8_t *rsn_ie,
	rsn->pmkid_count = LE_READ_2(ie);		rsn->pmkid_count = LE_READ_2(ie);
	ie += 2;		ie += 2;
	rem_len -= 2;		rem_len -= 2;
	if (rsn->pmkid_count > (unsigned int) rem_len / PMKID_LEN) {		if (rsn->pmkid_count > MAX_PMKID \|\|
			rsn->pmkid_count > (unsigned int)rem_len / PMKID_LEN) {
	rsn->pmkid_count = 0;		rsn->pmkid_count = 0;
	return QDF_STATUS_E_INVAL;		return QDF_STATUS_E_INVAL;
	}		}