qcacld-3.0: Add SSID length boundary check while processing vendor scan request While extracting SSID from nl attributes, Currently there is no boundary check for max and min length. Hence host causes buffer overflow. As a part of this fix, Add ssid array boundary check to avoid buffer overflow. CRs-Fixed: 1069298 Change-Id: I395be358f7bf3f23bb9453d1ed6c3dc9025f4aab

commit: 89c58d2137a92f2a6b4f3e085226a60a9dc4b13c [log] [tgz]
author: SaidiReddy Yenuga <saidir@codeaurora.org> Wed Sep 21 13:44:35 2016 +0530
committer: Prakash Dhavali <pdhavali@codeaurora.org> Thu Nov 03 17:54:08 2016 -0700
tree: 8687f1a543a6f827e7473b237f84274356728ec2
parent: bc17724e7a2afdae5d1b65c39b81a78a14f2253e [diff]
diff --git a/core/hdd/src/wlan_hdd_scan.c b/core/hdd/src/wlan_hdd_scan.c
index 40b1e6f..f955421 100644
--- a/core/hdd/src/wlan_hdd_scan.c
+++ b/core/hdd/src/wlan_hdd_scan.c

@@ -2012,6 +2012,12 @@
 		nla_for_each_nested(attr, tb[QCA_WLAN_VENDOR_ATTR_SCAN_SSIDS],
 				tmp) {
 			request->ssids[count].ssid_len = nla_len(attr);
+			if (request->ssids[count].ssid_len >
+				SIR_MAC_MAX_SSID_LENGTH) {
+				hdd_err("SSID Len %d is not correct for network %d",
+					 request->ssids[count].ssid_len, count);
+				goto error;
+			}
 			memcpy(request->ssids[count].ssid, nla_data(attr),
 					nla_len(attr));
 			count++;
commit	89c58d2137a92f2a6b4f3e085226a60a9dc4b13c	[log] [tgz]
author	SaidiReddy Yenuga <saidir@codeaurora.org>	Wed Sep 21 13:44:35 2016 +0530
committer	Prakash Dhavali <pdhavali@codeaurora.org>	Thu Nov 03 17:54:08 2016 -0700
tree	8687f1a543a6f827e7473b237f84274356728ec2
parent	bc17724e7a2afdae5d1b65c39b81a78a14f2253e [diff]