Skip to content
Snippets Groups Projects
Commit a9f99d0a authored by Nishank Aggarwal's avatar Nishank Aggarwal Committed by David C. Park
Browse files

qcacld-2.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes()

Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
is user-controllable and never validates which uses as the length
for a memory copy. This enables user-space applications to corrupt
heap memory and potentially crash the kernel.

Fix is to validate the WPARSNIes length to its max before use as the
length for a memory copy.

References: CVE-2017-6424
Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
CRs-Fixed: 1102648
parent 64721ae6
Branches
Tags
No related merge requests found
......@@ -3976,6 +3976,13 @@ static int __iw_set_ap_genie(struct net_device *dev,
return 0;
}
if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
"%s: WPARSN Ie input length is more than max[%d]", __func__,
wrqu->data.length);
return -EINVAL;
}
switch (genie[0])
{
case DOT11F_EID_WPA:
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment