diff options
| author | Vignesh Viswanathan <viswanat@codeaurora.org> | 2017-09-15 17:45:58 +0530 |
|---|---|---|
| committer | Jeferson Oliveira <jroliveira.oliveira301@gmail.com> | 2021-08-17 21:05:19 +0200 |
| commit | 6643008fa3ecb459d7b6600d935b712bef86e07c (patch) | |
| tree | fbf3ebfa78ecbd6a2365f8ffb60e6857dd2bad67 | |
| parent | db08f100dff9c3dc2faec418068e75c7ce1f8963 (diff) | |
wlan: Fix out-of-bounds access in limProcessActionFrameNoSession
Currently in the function limProcessActionFrameNoSession, mem_cmp
is done on the received frame pointer without validating the frame_len
which could lead to out-of-bounds memory access if the frame_len is
not matching the size of action_hdr.
Add check to validate the frame_len with action_hdr size before doing
mem_cmp for the p2p oui.
Change-Id: I39329d1a9ef45614d3c617db11a7a7f5ec2aaaec
CRs-Fixed: 2110756
(cherry picked from commit bc13a475626dbbc7d3bac85f1b020d4ac1724cb6)
| -rw-r--r-- | drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessActionFrame.c | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessActionFrame.c b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessActionFrame.c index 666474bcd75..abedd3e1101 100644 --- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessActionFrame.c +++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessActionFrame.c @@ -2519,6 +2519,15 @@ limProcessActionFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,tpPESession ps { tpSirMacVendorSpecificPublicActionFrameHdr pPubAction = (tpSirMacVendorSpecificPublicActionFrameHdr) pActionHdr; tANI_U8 P2POui[] = { 0x50, 0x6F, 0x9A, 0x09 }; + tANI_U32 frameLen; + + frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); + + if (frameLen < sizeof(pActionHdr)) { + limLog(pMac, LOG1, + FL("Received action frame of invalid len %d"), frameLen); + break; + } if (frameLen < sizeof(*pActionHdr)) { limLog(pMac, LOG1, @@ -2670,6 +2679,15 @@ limProcessActionFrameNoSession(tpAniSirGlobal pMac, tANI_U8 *pBd) case SIR_MAC_ACTION_VENDOR_SPECIFIC: { tANI_U8 P2POui[] = { 0x50, 0x6F, 0x9A, 0x09 }; + tANI_U32 frameLen; + + frameLen = WDA_GET_RX_PAYLOAD_LEN(pBd); + + if (frameLen < sizeof(pActionHdr)) { + limLog(pMac, LOG1, + FL("Received action frame of invalid len %d"), frameLen); + break; + } //Check if it is a P2P public action frame. if (vos_mem_compare(pActionHdr->Oui, P2POui, 4)) |