diff options
| author | tinlin <tinlin@codeaurora.org> | 2018-10-16 15:28:39 +0800 |
|---|---|---|
| committer | Kelly Rossmoyer <krossmo@google.com> | 2019-05-09 23:18:01 +0000 |
| commit | b9e963d973d0a507ed88ac8d3199ac7b89e851fb (patch) | |
| tree | 25983f71fe590346eb030014ee95f1402e347098 | |
| parent | 0da2144509ad97742e3319a3771cc0425d79c4d0 (diff) | |
qcacld-2.0: Fix possible OOB access in limProcessDisassocFrame
Propagation from cld3.0 to cld2.0.
Reason code is extracted from frame data without
validating frame len which could result in out
of bound access. Fix is to validate frame len
before extracting reason code from frame data.
Bug: 78530292
Change-Id: I00795a806abcae903dd0daa019aeab990aedc3a7
CRs-Fixed: 2333989
Signed-off-by: Roger Wang <wangroger@google.com>
| -rw-r--r-- | drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c index 7de95743d5a..81c9f0ae3c3 100644 --- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c +++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c @@ -78,13 +78,13 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession tpSirMacMgmtHdr pHdr; tpDphHashNode pStaDs; tLimMlmDisassocInd mlmDisassocInd; -#ifdef WLAN_FEATURE_11W + tANI_U32 frameLen; -#endif int8_t frame_rssi; pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo); + frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); frame_rssi = (int8_t)WDA_GET_RX_RSSI_NORMALIZED(pRxPacketInfo); if (limIsGroupAddr(pHdr->sa)) @@ -126,7 +126,6 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession return; } - #ifdef WLAN_FEATURE_11W /* PMF: If this session is a PMF session, then ensure that this frame was protected */ if(psessionEntry->limRmfEnabled && (WDA_GET_RX_DPU_FEEDBACK(pRxPacketInfo) & DPU_FEEDBACK_UNPROTECTED_ERROR)) @@ -134,7 +133,6 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession PELOGE(limLog(pMac, LOGE, FL("received an unprotected disassoc from AP"));) // If the frame received is unprotected, forward it to the supplicant to initiate // an SA query - frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); //send the unprotected frame indication to SME limSendSmeUnprotectedMgmtFrameInd( pMac, pHdr->fc.subType, (tANI_U8*)pHdr, (frameLen + sizeof(tSirMacMgmtHdr)), @@ -143,6 +141,10 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession } #endif + if (frameLen < 2) { + PELOGE(limLog(pMac, LOGE, FL("frame len less than 2"));) + return; + } // Get reasonCode from Disassociation frame body reasonCode = sirReadU16(pBody); |