diff options
author | Ashish Kumar Dhanotiya <adhanoti@codeaurora.org> | 2018-07-10 09:49:59 +0900 |
---|---|---|
committer | David C. Park <davidc.park@lge.com> | 2018-07-12 13:14:00 -0700 |
commit | ff8a7364ebecdf478e6168d57ea5d7916d672754 (patch) | |
tree | f22e8fd55150e703993d73baeaff831200302bee | |
parent | 13b6aa64bf6dce81a063396d6551a70a3840fa14 (diff) |
qcacld-2.0: Avoid possible stack overflow in hdd_ProcessGENIE APIandroid-wear-8.0.0_r0.48android-wear-8.0.0_r0.47
There is no check for the return value of dot11fUnpackIeRSN API
in hdd_ProcessGENIE API, which may cause stack overflow if
pmkid_count is returned as more than the PMKIDCache size.
Add a check for return value of dot11fUnpackIeRSN to avoid possible
stack overflow.
CVE-2018-3580
Change-Id: I56424c706de121b18b8d3f2c4a35089ec0434452
CRs-Fixed: 2149187
-rw-r--r-- | drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c | 10 |
1 files changed, 9 insertions, 1 deletions
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c index 81c495f7719e..b7b0caaf6544 100644 --- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c +++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_assoc.c @@ -3709,6 +3709,7 @@ static tANI_S32 hdd_ProcessGENIE(hdd_adapter_t *pAdapter, tDot11fIERSN dot11RSNIE; tDot11fIEWPA dot11WPAIE; tANI_U32 i; + tANI_U32 status; tANI_U8 *pRsnIe; tANI_U16 RSNIeLen; tPmkidCacheInfo PMKIDCache[4]; // Local transfer memory @@ -3734,10 +3735,17 @@ static tANI_S32 hdd_ProcessGENIE(hdd_adapter_t *pAdapter, pRsnIe = gen_ie + 2; RSNIeLen = gen_ie_len - 2; // Unpack the RSN IE - dot11fUnpackIeRSN((tpAniSirGlobal) halHandle, + status = dot11fUnpackIeRSN((tpAniSirGlobal) halHandle, pRsnIe, RSNIeLen, &dot11RSNIE); + if (DOT11F_FAILED(status)) + { + hddLog(LOGE, + FL("Parse failure in hdd_ProcessGENIE (0x%08x)"), + status); + return -EINVAL; + } // Copy out the encryption and authentication types hddLog(LOG1, FL("%s: pairwise cipher suite count: %d"), __func__, dot11RSNIE.pwise_cipher_suite_count ); |