qcacld-2.0: Fix buffer overwrite due to ssid_len in WMA handlers
In multiple WMA event handler functions, ssid_len is used to copy
ssid from FW buffer to local buffer and ssid_len value is received
from the FW. If the ssid_len value exceeds SIR_MAC_MAX_SSID_LENGTH
then a buffer overwrite would occur.
Add sanity check for ssid_len against SIR_MAC_MAX_SSID_LENGTH in
multiple WMA handler functions
Change-Id: I9e4b1f88c275093b4912496cdb936cf54a8880a2
CRs-Fixed: 2162678
diff --git a/CORE/SERVICES/WMA/wma.c b/CORE/SERVICES/WMA/wma.c
index cab4944..3743e56 100644
--- a/CORE/SERVICES/WMA/wma.c
+++ b/CORE/SERVICES/WMA/wma.c
@@ -4378,6 +4378,11 @@
dest_ap->ieLength = src_hotlist-> ie_length;
WMI_MAC_ADDR_TO_CHAR_ARRAY(&src_hotlist->bssid,
dest_ap->bssid);
+ if (src_hotlist->ssid.ssid_len > SIR_MAC_MAX_SSID_LENGTH) {
+ WMA_LOGE("%s Invalid SSID len %d, truncating",
+ __func__, src_hotlist->ssid.ssid_len);
+ src_hotlist->ssid.ssid_len = SIR_MAC_MAX_SSID_LENGTH;
+ }
vos_mem_copy(dest_ap->ssid, src_hotlist->ssid.ssid,
src_hotlist->ssid.ssid_len);
dest_ap->ssid[src_hotlist->ssid.ssid_len] = '\0';
@@ -4552,6 +4557,13 @@
WMI_MAC_ADDR_TO_CHAR_ARRAY(&src_hotlist->bssid,
ap->bssid);
+ if (src_hotlist->ssid.ssid_len >
+ SIR_MAC_MAX_SSID_LENGTH) {
+ WMA_LOGD("%s Invalid SSID len %d, truncating",
+ __func__, src_hotlist->ssid.ssid_len);
+ src_hotlist->ssid.ssid_len =
+ SIR_MAC_MAX_SSID_LENGTH;
+ }
vos_mem_copy(ap->ssid, src_hotlist->ssid.ssid,
src_hotlist->ssid.ssid_len);
ap->ssid[src_hotlist->ssid.ssid_len] = '\0';
@@ -4860,9 +4872,13 @@
WMA_SVC_MSG_MAX_SIZE) {
WMA_LOGE("IE Length: %d or ANQP Length: %d is huge",
event->ie_length, event->anqp_length);
- VOS_ASSERT(0);
return -EINVAL;
}
+ if (event->ssid.ssid_len > SIR_MAC_MAX_SSID_LENGTH) {
+ WMA_LOGD("%s: Invalid ssid len %d, truncating",
+ __func__, event->ssid.ssid_len);
+ event->ssid.ssid_len = SIR_MAC_MAX_SSID_LENGTH;
+ }
dest_match = vos_mem_malloc(sizeof(*dest_match) +
event->ie_length + event->anqp_length);
if (!dest_match) {
