Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / prima / b654f7085fa563f5b911d949dfa7ae3034b07a6e^! / .
commitb654f7085fa563f5b911d949dfa7ae3034b07a6e[log] [tgz]
authorgaurank kathpalia <gkathpal@codeaurora.org>Fri Jan 03 15:07:17 2020 +0530
committergaurank kathpalia <gkathpal@codeaurora.org>Fri Jan 03 15:28:37 2020 +0530
tree683fe265439ccd5ab3faf0ea1c7db6fadbeed74d
parenteea2488f51e55ab5da909c92679845be2ef4929a [diff]
prima: Verify pmk len in construct RSn IE API

Verify length of PMK to be less than 48 bytes
for correct PMK to avoid stack corruption
in the API csrConstructRSNIe when it is
copied in the API csrLookupPMKID.

Change-Id: I8a76a2883f83447cb1c92df1aff685df990e1619
CRs-Fixed: 2596334

diff --git a/CORE/HDD/src/wlan_hdd_assoc.c b/CORE/HDD/src/wlan_hdd_assoc.c
index fa27193..5258b34 100644
--- a/CORE/HDD/src/wlan_hdd_assoc.c
+++ b/CORE/HDD/src/wlan_hdd_assoc.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -4649,6 +4649,7 @@
        flag to 0 */
     memset( &dot11WPAIE, 0 , sizeof(tDot11fIEWPA) );
     memset( &dot11RSNIE, 0 , sizeof(tDot11fIERSN) );
+    memset( PMKIDCache, 0 , sizeof(tPmkidCacheInfo) * 4);
 
     // Type check
     if ( gen_ie[0] ==  DOT11F_EID_RSN)

diff --git a/CORE/SME/src/csr/csrApiRoam.c b/CORE/SME/src/csr/csrApiRoam.c
index 64500d7..110c606 100644
--- a/CORE/SME/src/csr/csrApiRoam.c
+++ b/CORE/SME/src/csr/csrApiRoam.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -12899,11 +12899,12 @@
             pSession->PmkidCacheInfo[cache_idx].PMKID,
             pmksa->PMKID, CSR_RSN_PMKID_SIZE);
 
-    if (pmksa->pmk_len)
+    pSession->PmkidCacheInfo[cache_idx].pmk_len = 0;
+    if (pmksa->pmk_len && pmksa->pmk_len <= CSR_RSN_MAX_PMK_LEN) {
         vos_mem_copy(pSession->PmkidCacheInfo[cache_idx].pmk,
                 pmksa->pmk, pmksa->pmk_len);
-
-    pSession->PmkidCacheInfo[cache_idx].pmk_len = pmksa->pmk_len;
+        pSession->PmkidCacheInfo[cache_idx].pmk_len = pmksa->pmk_len;
+    }
 
     /* Increment the CSR local cache index */
     if (cache_idx < (CSR_MAX_PMKID_ALLOWED - 1))

diff --git a/CORE/SME/src/csr/csrUtil.c b/CORE/SME/src/csr/csrUtil.c
index f8f45e7..a9bec95 100644
--- a/CORE/SME/src/csr/csrUtil.c
+++ b/CORE/SME/src/csr/csrUtil.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2011-2017, 2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2011-2017, 2019-2020 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -4095,39 +4095,6 @@
     return( fRSNMatch );
 }
 
-/**
- * csr_lookup_pmkid_using_ssid() - lookup pmkid using ssid and cache_id
- * @mac: pointer to mac
- * @session: sme session pointer
- * @pmk_cache: pointer to pmk cache
- * @index: index value needs to be seached
- *
- * Return: true if pmkid is found else false
- */
-static bool csr_lookup_pmkid_using_ssid(tpAniSirGlobal mac,
-                    tCsrRoamSession *session,
-                    tPmkidCacheInfo *pmk_cache,
-                    uint32_t *index)
-{
-    uint32_t i;
-    tPmkidCacheInfo *session_pmk;
-
-    for (i = 0; i < session->NumPmkidCache; i++) {
-        session_pmk = &session->PmkidCacheInfo[i];
-
-        if ((!vos_mem_compare(pmk_cache->ssid, session_pmk->ssid,
-                  pmk_cache->ssid_len)) &&
-            (!vos_mem_compare(session_pmk->cache_id,
-                  pmk_cache->cache_id, CACHE_ID_LEN))) {
-            /* match found */
-            *index = i;
-            return true;
-        }
-    }
-
-    return false;
-}
-
 bool csr_lookup_pmkid_using_bssid(tpAniSirGlobal mac,
                     tCsrRoamSession *session,
                     tPmkidCacheInfo *pmk_cache,
@@ -4150,7 +4117,7 @@
 }
 
 tANI_BOOLEAN csrLookupPMKID(tpAniSirGlobal pMac, tANI_U32 sessionId,
-                                tPmkidCacheInfo *pmk_cache)
+                            tPmkidCacheInfo *pmk_cache)
 
 {
     tANI_BOOLEAN fRC = FALSE, fMatchFound = FALSE;
@@ -4171,22 +4138,20 @@
         pSession->fIgnorePMKIDCache = FALSE;
         return fRC;
     }
-    
-   if (pmk_cache->ssid_len) {
-       /* Try to find based on cache_id and ssid first */
-       fMatchFound = csr_lookup_pmkid_using_ssid(pMac, pSession, pmk_cache,
-                                                 &Index);
-   }
 
     /* If not able to find using cache id or ssid_len is not present */
-    if (!fMatchFound)
-        fMatchFound = csr_lookup_pmkid_using_bssid(pMac, pSession, pmk_cache,
-                                                   &Index);
+    fMatchFound = csr_lookup_pmkid_using_bssid(pMac, pSession, pmk_cache,
+                                               &Index);
 
    if (!fMatchFound) {
        smsLog(pMac, LOG2, "No PMKID Match Found");
        return false;
+   }
 
+   if (pSession->PmkidCacheInfo[Index].pmk_len > CSR_RSN_MAX_PMK_LEN) {
+        smsLog(pMac, LOG2, "PMK length %d is invalid",
+               pSession->PmkidCacheInfo[Index].pmk_len);
+        return false;
    }
 
    vos_mem_copy(pmk_cache->PMKID, pSession->PmkidCacheInfo[Index].PMKID, CSR_RSN_PMKID_SIZE);