From d6d79e884c3c4bc9efd7135eb802c076e72d4195 Mon Sep 17 00:00:00 2001 From: gaurank kathpalia Date: Wed, 1 Nov 2017 10:45:40 +0530 Subject: [PATCH] qcacld-3.0: Add check for set_ft_ies length In file sme_ft_api.c, function sme_set_ft_ies(), the ft_ies_length is user-controlled so there is a possibility of integer overflow. Add Sanity check to avoid integer overflow. Change-Id: Idab80abeca35397be7ec13ca81c7ccb8be8ef256 CRs-Fixed: 2100965 --- core/sme/src/common/sme_ft_api.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/core/sme/src/common/sme_ft_api.c b/core/sme/src/common/sme_ft_api.c index f0e7b427a1dc3..82e85bcb51b68 100644 --- a/core/sme/src/common/sme_ft_api.c +++ b/core/sme/src/common/sme_ft_api.c @@ -195,6 +195,9 @@ void sme_set_ft_ies(tHalHandle hal_ptr, uint32_t session_id, * reassoc req. This is the new FT Roaming in place At * this juncture we'r ready to start sending Reassoc req */ + + ft_ies_length = QDF_MIN(ft_ies_length, MAX_FTIE_SIZE); + sme_debug("New Reassoc Req: %pK in state %d", ft_ies, session->ftSmeContext.FTState); if ((session->ftSmeContext.reassoc_ft_ies) &&