commit 7b48fd9ff4b2d542aaaf3c3cba55f276124fda53
author Ashish Kumar Dhanotiya <adhanoti@codeaurora.org> Tue Feb 11 18:14:46 2020 +0530
committer Gerrit - the friendly Code Review server <code-review@localhost> Tue Mar 17 22:49:10 2020 -0700
tree be6b5ad64de9fe13b8f66762268efcf667320bc0
parent 6275acb81862fb1a4dfbf1b22013e6a17cef0475

wlan: Validate assoc response IE len before copy

When host sends assoc response to supplicant, it
allocates a buffer of fixed size and copies a variable
length of assoc response IEs to this fixed sized buffer.
There is a possibility of OOB write to the allocated buffer
if the assoc response IEs length is greater than the
allocated buffer size.
To avoid above issue validate the assoc response IEs length
with the allocated buffer size before data copy to the buffer.

Change-ID: Ib12385e9ff04e5172ae8b505faf959e426fda439
CRs-Fixed: 2616226

CORE/HDD/src/wlan_hdd_assoc.c

diff --git a/CORE/HDD/src/wlan_hdd_assoc.c b/CORE/HDD/src/wlan_hdd_assoc.c
index 5258b34..af21a0e 100644
--- a/CORE/HDD/src/wlan_hdd_assoc.c
+++ b/CORE/HDD/src/wlan_hdd_assoc.c
@@ -2230,8 +2230,10 @@
         goto done;
     }
 
-    if (pCsrRoamInfo->nAssocRspLength == 0) {
-        hddLog(LOGE, "%s: Invalid assoc response length", __func__);
+    if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) {
+
+        hddLog(LOGE, "%s: Invalid assoc response length %d",
+               __func__, pCsrRoamInfo->nAssocRspLength);
         goto done;
     }
 
@@ -2248,6 +2250,11 @@
 
     // Send the Assoc Resp, the supplicant needs this for initial Auth.
     len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
+    if (len > IW_GENERIC_IE_MAX) {
+        hddLog(LOGE, "%s: Invalid assoc response length %d",
+                __func__, pCsrRoamInfo->nAssocRspLength);
+         goto done;
+    }
     rspRsnLength = len;
     memcpy(rspRsnIe, pFTAssocRsp, len);
     memset(rspRsnIe + len, 0, IW_GENERIC_IE_MAX - len);