commit deea7a8746e2fb15b319cf6337b6539501bbef23
author Nachiket Kukade <nkukade@codeaurora.org> Mon Jan 15 12:30:13 2018 +0530
committer Anjaneedevi Kapparapu <akappara@codeaurora.org> Thu Feb 01 15:22:51 2018 +0530
tree f0ec52e93529fe4f993348bbadd0174ef52f61a0
parent c10ef6ac787b7f83e2997234babaf1615ad308a2

qcacld-2.0: Add maximum bound check on WPA RSN IE length

In set_ie after receiving DOT11F_EID_RSN, WPA RSN IE is copied from
source without a check on the given IE length. A malicious IE length
can cause buffer overflow.

Apply the same logic from Id159d307e8f9c1de720d4553a7c29f23cbd28571
that was applied under DOT11F_EID_WPA. This adds maximum bound check
on WPA RSN IE length.

Change-Id: I04f980fe44328b1a3f6a6d4854228cc4c9f1a1c7
CRs-Fixed: 2169222

CORE/HDD/src/wlan_hdd_cfg80211.c

diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index b12f3ac..03fd124 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -23503,6 +23503,12 @@
                 }
                 break;
             case DOT11F_EID_RSN:
+                if (eLen > (MAX_WPA_RSN_IE_LEN - 2)) {
+                    hddLog(VOS_TRACE_LEVEL_FATAL, "%s: Invalid WPA RSN IE length[%d], exceeds %d bytes",
+                            __func__, eLen, MAX_WPA_RSN_IE_LEN - 2);
+                    VOS_ASSERT(0);
+                    return -EINVAL;
+                }
                 hddLog (VOS_TRACE_LEVEL_INFO, "%s Set RSN IE(len %d)",__func__, eLen + 2);
                 memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
                 memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2)/*ie_len*/);