Commit 130f634d authored Apr 19, 2021 by Lee Gibson Committed by Kalle Valo Apr 22, 2021

qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth



Function qtnf_event_handle_external_auth calls memcpy without
checking the length.
A user could control that length and trigger a buffer overflow.
Fix by checking the length is within the maximum allowed size.

Signed-off-by: Lee Gibson <leegib@gmail.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210419145842.345787-1-leegib@gmail.com

parent a9a4c080

drivers/net/wireless/quantenna/qtnfmac/event.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -570,8 +570,10 @@ qtnf_event_handle_external_auth(struct qtnf_vif *vif,
		return 0;

		if (ev->ssid_len) {
		memcpy(auth.ssid.ssid, ev->ssid, ev->ssid_len);
		auth.ssid.ssid_len = ev->ssid_len;
		int len = clamp_val(ev->ssid_len, 0, IEEE80211_MAX_SSID_LEN);

		memcpy(auth.ssid.ssid, ev->ssid, len);
		auth.ssid.ssid_len = len;
		}

		auth.key_mgmt_suite = le32_to_cpu(ev->akm_suite);