wlan: Check on IE length to avoid buffer over-read An incorrect IE length can overflow the remaining length variable and make IE parsing logic perform a buffer over-read. Check on IE length to avoid buffer over-read. Change-Id: I20ef6a0136c7a5b602ad15a2fb725f20807b81d0 CRs-Fixed: 2058954

commit: 4aba5f0382d09c3f3ddaf1bcae558b5df1e80b4e [log] [tgz]
author: Nachiket Kukade <nkukade@codeaurora.org> Fri Jun 09 15:43:48 2017 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> Mon Jun 19 05:58:26 2017 -0700
tree: 7fd4af78742f015378456e82480c74e0ff3e60e7
parent: c4fb1662b4912f21a20673b025ec560ef0a44111 [diff] [blame]
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c
index a6e0f46..97f6569 100644
--- a/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/CORE/HDD/src/wlan_hdd_cfg80211.c

@@ -14938,6 +14938,14 @@
         eLen  = *genie++;
         remLen -= 2;
 
+        /* Sanity check on eLen */
+        if (eLen > remLen) {
+            hddLog(VOS_TRACE_LEVEL_FATAL, "%s: Invalid IE length[%d] for IE[0x%X]",
+                    __func__, eLen, elementId);
+            VOS_ASSERT(0);
+            return -EINVAL;
+        }
+
         hddLog(VOS_TRACE_LEVEL_INFO, "%s: IE[0x%X], LEN[%d]",
             __func__, elementId, eLen);
commit	4aba5f0382d09c3f3ddaf1bcae558b5df1e80b4e	[log] [tgz]
author	Nachiket Kukade <nkukade@codeaurora.org>	Fri Jun 09 15:43:48 2017 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Mon Jun 19 05:58:26 2017 -0700
tree	7fd4af78742f015378456e82480c74e0ff3e60e7
parent	c4fb1662b4912f21a20673b025ec560ef0a44111 [diff] [blame]