diff options
author | sheenam monga <shebala@codeaurora.org> | 2020-07-08 10:34:46 +0530 |
---|---|---|
committer | Hsiu Chang Chen <hsiuchangchen@google.com> | 2021-05-25 02:46:47 +0000 |
commit | 16abcfbc1aa398accc5583ca6f9c4c41e1a40098 (patch) | |
tree | c912ea5f514b41520d9750ddb28141b4b202b34a | |
parent | cfd42be7efa8b409ec4614fc41659475ef6e04f4 (diff) | |
download | qca-wfi-host-cmn-16abcfbc1aa398accc5583ca6f9c4c41e1a40098.tar.gz |
qcacmn: Fix OOB issue in wlan_parse_rsn_ie
Issue: Currently, host doesn't validate pkid_count
before populating data in rsn->pmkid. rsn->pmkid array
can store only 4/MAX_PMKID pmkids which may cause OOB
write if host tries to copy pmkids more than MAX_PMKID.
Fix: validate pkid_count before populating rsn->pmkid
and return Failure in case pkid_count becomes greater
than MAX_PMKID to avoid OOB.
Bug: 188910236
Test: Regression Test
Change-Id: I211ea791a52ecb84872d139929f999a89db240d5
CRs-Fixed: 2724407
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
-rw-r--r-- | umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h index 30f5f7ced..80475021e 100644 --- a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h +++ b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h @@ -1600,7 +1600,8 @@ static inline QDF_STATUS wlan_parse_rsn_ie(uint8_t *rsn_ie, rsn->pmkid_count = LE_READ_2(ie); ie += 2; rem_len -= 2; - if (rsn->pmkid_count > (unsigned int) rem_len / PMKID_LEN) { + if (rsn->pmkid_count > MAX_PMKID || + rsn->pmkid_count > (unsigned int)rem_len / PMKID_LEN) { rsn->pmkid_count = 0; return QDF_STATUS_E_INVAL; } |