commit 7d6a1b5503b61571bde18cd0b6d1a238472ce56c
author Nishank Aggarwal <naggar@codeaurora.org> Tue Mar 14 15:02:24 2017 +0800
committer Jeron Susan <jeron.susan@hi-p.com> Tue Mar 14 15:02:31 2017 +0800
tree 480ea81ac7c72229a9f8dcffecfb537fbeb1079c
parent b049eaf182388273263ed33c1ea589a32461d133

FPII-2976 :Elevation of privilege vulnerability in Qualcomm Wi-Fi driver CVE-2017-6424 A-32086742 QC-CR#1102648

qcacld-2.0: Fix buffer overflow in WLANSAP_Set_WPARSNIes()
Currently In WLANSAP_Set_WPARSNIes() the parameter WPARSNIEsLen
is user-controllable and never validates which uses as the length
for a memory copy. This enables user-space applications to corrupt
heap memory and potentially crash the kernel.

Fix is to validate the WPARSNIes length to its max before use as the
length for a memory copy.

Change-Id: I7aff731aeae22bfd84beb955439a799abef37f68
CRs-Fixed: 1102648

Change-Id: I096ef5f34784f88697dbe39e8ac7a163abe6b7a3

CORE/HDD/src/wlan_hdd_hostapd.c

diff --git a/CORE/HDD/src/wlan_hdd_hostapd.c b/CORE/HDD/src/wlan_hdd_hostapd.c
index 6620bc6..fda0237 100644
--- a/CORE/HDD/src/wlan_hdd_hostapd.c
+++ b/CORE/HDD/src/wlan_hdd_hostapd.c
@@ -3597,6 +3597,13 @@
         return 0;
     }
 
+    if (wrqu->data.length > DOT11F_IE_RSN_MAX_LEN) {
+       VOS_TRACE(VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_ERROR,
+               "%s: WPARSN Ie input length is more than max[%d]", __func__,
+                wrqu->data.length);
+       return -EINVAL;
+    }
+
     switch (genie[0]) 
     {
         case DOT11F_EID_WPA: