Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qcacld-3.0 / 62d9899e8cd5aee9f1360b9549e52403eb6aeb65
commit62d9899e8cd5aee9f1360b9549e52403eb6aeb65[log] [tgz]
authorVignesh Viswanathan <viswanat@codeaurora.org>Thu Nov 30 12:30:37 2017 +0530
committersnandini <snandini@codeaurora.org>Tue Dec 05 13:38:42 2017 -0800
treeede26f3cfa2b4e1c116bc404e3ec2bfdd84c0390
parent325061be3874af14281af9573033d5a431b1abdc [diff]
qcacld-3.0: Fix potential buffer over-read during FILS Association

In function wlan_hdd_send_roam_auth_event, FILS kek is copied to
skb for the vendor command QCA_WLAN_VENDOR_ATTR_ROAM_AUTH_PTK_KEK
for kek_len length. There is no validation for the max value of
kek_len and would lead to an buffer over-read if kek_len exceeds
SIR_KEK_KEY_LEN_FILS.

Add sanity check for kek_len for max limit SIR_KEK_KEY_LEN_FILS
before copying the kek to skb.

Change-Id: I4290909cd2df8686a32d25aa14711db2b899b2eb
CRs-Fixed: 2152985
1 file changed
tree: ede26f3cfa2b4e1c116bc404e3ec2bfdd84c0390
  1. components/
  2. core/
  3. uapi/
  4. Android.mk
  5. Kbuild
  6. Kconfig
  7. Makefile
  8. README.txt