net: wireless: bcmdhd: fix buffer overrun in dhd_pno_process_anqpo_re…

…sult CVE-2017-0572 added boundary check not to overflow buffer especially when input parameters manipulated. Bug: 34198931 Change-Id: I39d7dc38a597a938d37dbd7bb267a7ff4df93e45 Signed-off-by: Insun Song <[email protected]> Signed-off-by: gwx419604 <[email protected]> Signed-off-by: Francisco Franco <[email protected]>
franciscofranco · Oct 17, 2017 · 1a8ccc0 · 1a8ccc0
1 parent 2a58d9c
commit 1a8ccc0
Showing 1 changed file with 17 additions and 3 deletions.
diff --git a/drivers/net/wireless/bcmdhd/dhd_pno.c b/drivers/net/wireless/bcmdhd/dhd_pno.c
@@ -3679,6 +3679,7 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
 	uint8 channel;
 	uint32 mem_needed;
 	struct timespec ts;
+	wl_event_gas_t *gas_data;
 
 	*size = 0;
 
@@ -3699,9 +3700,22 @@ dhd_process_full_gscan_result(dhd_pub_t *dhd, const void *data, int *size)
 		DHD_ERROR(("Invalid bss_info length %d: ignoring\n", bi_length));
 		goto exit;
 	}
-	if (bi->SSID_len > DOT11_MAX_SSID_LEN) {
-		DHD_ERROR(("Invalid SSID length %d: trimming it to max\n", bi->SSID_len));
-		bi->SSID_len = DOT11_MAX_SSID_LEN;
+	if ((bi->SSID_len > DOT11_MAX_SSID_LEN)||
+		(bi->ie_length > (*size - sizeof(wl_bss_info_t))) ||
+		(bi->ie_offset < sizeof(wl_bss_info_t)) ||
+		(bi->ie_offset > (sizeof(wl_bss_info_t) + bi->ie_length))){
+		DHD_ERROR(("%s: tot:%d,SSID:%d,ie_len:%d,ie_off:%d\n",
+			__FUNCTION__, *size, bi->SSID_len,
+			bi->ie_length, bi->ie_offset));
+		return NULL;
+	}
+
+	gas_data = (wl_event_gas_t *)((uint8 *)data + bi->ie_offset + bi->ie_length);
+
+	if (gas_data->data_len > (*size - (bi->ie_offset + bi->ie_length))) {
+		DHD_ERROR(("%s: wrong gas_data_len:%d\n",
+			__FUNCTION__, gas_data->data_len));
+		return NULL;
 	}
 
 	mem_needed = OFFSETOF(wifi_gscan_result_t, ie_data) + bi->ie_length;