qcacmn: Fix OOB issue in wlan_parse_rsn_ie

Issue: Currently, host doesn't validate pkid_count before populating data in rsn->pmkid. rsn->pmkid array can store only 4/MAX_PMKID pmkids which may cause OOB write if host tries to copy pmkids more than MAX_PMKID. Fix: validate pkid_count before populating rsn->pmkid and return Failure in case pkid_count becomes greater than MAX_PMKID to avoid OOB. Bug: 188910236 Test: Regression Test Change-Id: I211ea791a52ecb84872d139929f999a89db240d5 CRs-Fixed: 2724407 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
author: sheenam monga <shebala@codeaurora.org> 2020-07-08 10:34:46 +0530
committer: Hsiu Chang Chen <hsiuchangchen@google.com> 2021-05-25 02:46:47 +0000
commit: 16abcfbc1aa398accc5583ca6f9c4c41e1a40098 (patch)
tree: c912ea5f514b41520d9750ddb28141b4b202b34a
parent: cfd42be7efa8b409ec4614fc41659475ef6e04f4 (diff)
download: qca-wfi-host-cmn-16abcfbc1aa398accc5583ca6f9c4c41e1a40098.tar.gz
1 files changed, 2 insertions, 1 deletions
diff --git a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
index 30f5f7ced..80475021e 100644
--- a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
+++ b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
@@ -1600,7 +1600,8 @@ static inline QDF_STATUS wlan_parse_rsn_ie(uint8_t *rsn_ie,
 		rsn->pmkid_count = LE_READ_2(ie);
 		ie += 2;
 		rem_len -= 2;
-		if (rsn->pmkid_count > (unsigned int) rem_len / PMKID_LEN) {
+		if (rsn->pmkid_count > MAX_PMKID ||
+		    rsn->pmkid_count > (unsigned int)rem_len / PMKID_LEN) {
 			rsn->pmkid_count = 0;
 			return QDF_STATUS_E_INVAL;
 		}
author	sheenam monga <shebala@codeaurora.org>	2020-07-08 10:34:46 +0530
committer	Hsiu Chang Chen <hsiuchangchen@google.com>	2021-05-25 02:46:47 +0000
commit	16abcfbc1aa398accc5583ca6f9c4c41e1a40098 (patch)
tree	c912ea5f514b41520d9750ddb28141b4b202b34a
parent	cfd42be7efa8b409ec4614fc41659475ef6e04f4 (diff)
download	qca-wfi-host-cmn-16abcfbc1aa398accc5583ca6f9c4c41e1a40098.tar.gz