commit b049eaf182388273263ed33c1ea589a32461d133
author Srinivas Girigowda <sgirigow@codeaurora.org> Fri Feb 17 16:08:59 2017 +0800
committer Silence.Zhang <Silence.Zhang@hi-p.com> Fri Feb 17 16:09:27 2017 +0800
tree 73ebc8652ea9ce2601f5be3b3ed10a77b20414b4
parent 1a48b52db5b37146fb15cfbda49f3be736061268

FPII-2838: Information disclosure vulnerability in Qualcomm Wi-Fi driver (device specific) CVE-2017-0461A-32073794 QC-CR#1100132

qcacld-2.0: Fix array out-of-bounds & integer underflow in _iw_set_genie
'wrqu->data.length' holds the total number of IE data buffer.
Add a check to make sure the number of remaining data to be read is
greater than or equal to IE length.
Also, advance the buffer pointer to point to the next element only
if next element is present.

Change-Id: Iacd98fd53a905a075759db84537e2c8888dab6b6

CORE/HDD/src/wlan_hdd_wext.c

diff --git a/CORE/HDD/src/wlan_hdd_wext.c b/CORE/HDD/src/wlan_hdd_wext.c
index 7feeffd..c3e487c 100644
--- a/CORE/HDD/src/wlan_hdd_wext.c
+++ b/CORE/HDD/src/wlan_hdd_wext.c
@@ -2018,6 +2018,12 @@
         hddLog(VOS_TRACE_LEVEL_INFO, "%s: IE[0x%X], LEN[%d]",
             __func__, elementId, eLen);
 
+        if (remLen < eLen) {
+            hddLog(LOGE, "Remaining len: %u less than ie len: %u",
+                remLen, eLen);
+            ret = -EINVAL;
+            goto exit;
+        }
         switch ( elementId )
          {
             case IE_EID_VENDOR:
@@ -2100,8 +2106,10 @@
              hddLog (LOGE, "%s Set UNKNOWN IE %X",__func__, elementId);
              goto exit;
     }
-        genie += eLen;
         remLen -= eLen;
+        /* Move genie only if next element is present */
+        if (remLen >= 2)
+             genie += eLen;
     }
 exit:
     EXIT();