wlan: Add maximum bound check on WPA RSN IE length
In set_ie after receiving DOT11F_EID_RSN, WPA RSN IE is copied from
source without a check on the given IE length. A malicious IE length
can cause buffer overflow.
Apply the same logic from Id159d307e8f9c1de720d4553a7c29f23cbd28571
that was applied under DOT11F_EID_WPA. This adds maximum bound check
on WPA RSN IE length.
Change-Id: I04f980fe44328b1a3f6a6d4854228cc4c9f1a1c7
CRs-Fixed: 2177210
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index f4269e4..dd14f10 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -15753,6 +15753,12 @@
} /* end of if (WLAN_HDD_IBSS == pAdapter->device_mode) */
break;
case DOT11F_EID_RSN:
+ if (eLen > (MAX_WPA_RSN_IE_LEN - 2)) {
+ hddLog(VOS_TRACE_LEVEL_FATAL, "%s: Invalid WPA RSN IE length[%d], exceeds %d bytes",
+ __func__, eLen, MAX_WPA_RSN_IE_LEN - 2);
+ VOS_ASSERT(0);
+ return -EINVAL;
+ }
hddLog (VOS_TRACE_LEVEL_INFO, "%s Set RSN IE(len %d)",__func__, eLen + 2);
memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2)/*ie_len*/);