commit 3d72b7e203b431e53d1a6f7be6e11f31aaeec780
author Nachiket Kukade <nkukade@codeaurora.org> Fri Jun 09 16:58:24 2017 +0530
committer Gerrit - the friendly Code Review server <code-review@localhost> Mon Jun 19 06:01:00 2017 -0700
tree 389024421cfa141542425fef08c148ea041f928d
parent e21a521907d332e33d2b9f30743fb4ba5d2c904a

wlan: Add maximum bound check on WPA RSN IE length

WPA RSN IE is copied from source without a check on the given IE length.
A malicious IE length can cause buffer overflow.
Add maximum bound check on WPA RSN IE length.

Change-Id: Id159d307e8f9c1de720d4553a7c29f23cbd28571
CRs-Fixed: 2058978

CORE/HDD/src/wlan_hdd_cfg80211.c

diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index 97f6569..963bbc2 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -14981,6 +14981,13 @@
                 }
                 else if (0 == memcmp(&genie[0], "\x00\x50\xf2", 3))
                 {
+                    if (eLen > (MAX_WPA_RSN_IE_LEN - 2)) {
+                        hddLog(VOS_TRACE_LEVEL_FATAL, "%s: Invalid WPA RSN IE length[%d]",
+                            __func__, eLen);
+                        VOS_ASSERT(0);
+                        return -EINVAL;
+                    }
+
                     hddLog (VOS_TRACE_LEVEL_INFO, "%s Set WPA IE (len %d)",__func__, eLen + 2);
                     memset( pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN );
                     memcpy( pWextState->WPARSNIE, genie - 2, (eLen + 2) /*ie_len*/);