wlan: Buffer overflow due to invalid WscIeLen.
The problem was in the function limGetBssDescription the
'pBssDescription->WscIeLen' variable was not extracted from pBuf pointer
and there is no check in the code for buffer overflow while copying to
the pointer pBssDescription->WscIeProbeRsp from pBuf which leads to
kernel crash.
Change-Id: I28bcf770853a8840babdfe012a3a578dc652f297
CR-Fixed: 415391
diff --git a/CORE/MAC/src/pe/lim/limSerDesUtils.c b/CORE/MAC/src/pe/lim/limSerDesUtils.c
index 6569bfb..2a92a0c 100644
--- a/CORE/MAC/src/pe/lim/limSerDesUtils.c
+++ b/CORE/MAC/src/pe/lim/limSerDesUtils.c
@@ -240,23 +240,36 @@
if (limCheckRemainingLength(pMac, len) == eSIR_FAILURE)
return eSIR_FAILURE;
#endif
+ pBssDescription->fProbeRsp = *pBuf++;
+ len -= sizeof(tANI_U8);
+ if (limCheckRemainingLength(pMac, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
+
+ pBssDescription->WscIeLen = limGetU32( pBuf );
+ pBuf += sizeof(tANI_U32);
+ len -= sizeof(tANI_U32);
+ if (limCheckRemainingLength(pMac, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
if (pBssDescription->WscIeLen)
{
- palCopyMemory( pMac->hHdd, (tANI_U8 *) pBssDescription->WscIeProbeRsp,
+ if(pBssDescription->WscIeLen <= WSCIE_PROBE_RSP_LEN )
+ {
+ palCopyMemory( pMac->hHdd, (tANI_U8 *) pBssDescription->WscIeProbeRsp,
pBuf,
pBssDescription->WscIeLen);
+ }
+ else
+ {
+ limLog(pMac, LOGE,
+ FL("WscIeLen is greater than WSCIE_PROBE_RSP_LEN= %d\n"),
+ pBssDescription->WscIeLen);
+ return eSIR_FAILURE;
+ }
}
- pBuf += (sizeof(pBssDescription->WscIeProbeRsp) +
- sizeof(pBssDescription->WscIeLen) +
- sizeof(pBssDescription->fProbeRsp) +
- sizeof(tANI_U32));
-
- len -= (sizeof(pBssDescription->WscIeProbeRsp) +
- sizeof(pBssDescription->WscIeLen) +
- sizeof(pBssDescription->fProbeRsp) +
- sizeof(tANI_U32));
+ pBuf += WSCIE_PROBE_RSP_LEN;
+ len -= WSCIE_PROBE_RSP_LEN;
if (len > 0)
{