wlan: Check for minimum frameLen for action frames

Propagation to pronoto from cld2.0. In limProcessActionFrame and limProcessActionFrameNoSession, The Rx frame pointer is directly casted to the action frame header to find the Action frame category and action ID without validating the minimum length of the frame. If the frame len is less than the action frame header len, then OOB read would occur. Check if frame_len is less than the size of action frame header len and return if true. Change-Id: Idf8ca7eeacdf57171d2850fe6317784911830aac CRs-Fixed: 2598901 (cherry picked from commit 382cabdaa5b3d7423600679248e771d285643aae)
author: sheenam monga <shebala@codeaurora.org> 2020-02-05 16:29:23 +0530
committer: Jeferson Oliveira <jroliveira.oliveira301@gmail.com> 2021-08-17 21:04:39 +0200
commit: db08f100dff9c3dc2faec418068e75c7ce1f8963 (patch)
tree: 553a82aa1b4a6db07199a2c06770e9f4f7f87a28
parent: a05b778d43e43072e97363f0773d20c3635ddef8 (diff)
1 files changed, 23 insertions, 20 deletions
diff --git a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessActionFrame.c b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessActionFrame.c
index 5a075deb5cd..666474bcd75 100644
--- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessActionFrame.c
+++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessActionFrame.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2016, 2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2017, 2019-2020 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -2262,9 +2262,17 @@ limProcessActionFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,tpPESession ps
 {
     tANI_U8 *pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo);
     tpSirMacActionFrameHdr pActionHdr = (tpSirMacActionFrameHdr) pBody;
-#ifdef WLAN_FEATURE_11W
+    tANI_U8 frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
     tpSirMacMgmtHdr pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo);
 
+    if (frameLen < sizeof(*pActionHdr)) {
+	limLog(pMac, LOGE,
+	       FL("frame_len %d less than Action Frame Hdr size"),
+	        frameLen);
+	return;
+    }
+
+#ifdef WLAN_FEATURE_11W
     if (lim_is_robust_mgmt_action_frame(pActionHdr->category) &&
         limDropUnprotectedActionFrame(pMac, psessionEntry, pHdr,
                                       pActionHdr->category)) {
@@ -2425,9 +2433,7 @@ limProcessActionFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,tpPESession ps
             case SIR_MAC_WNM_NOTIF_REQUEST:
             case SIR_MAC_WNM_NOTIF_RESPONSE:
             {
-               tpSirMacMgmtHdr     pHdr;
                tANI_S8 rssi = WDA_GET_RX_RSSI_DB(pRxPacketInfo);
-               pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo);
                /* Forward to the SME to HDD to wpa_supplicant */
                limSendSmeMgmtFrameInd(pMac, psessionEntry->smeSessionId,
                                        pRxPacketInfo,
@@ -2470,10 +2476,13 @@ limProcessActionFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,tpPESession ps
         case SIR_MAC_ACTION_VENDOR_SPECIFIC_CATEGORY:
             {
               tpSirMacVendorSpecificFrameHdr pVendorSpecific = (tpSirMacVendorSpecificFrameHdr) pActionHdr;
-              tpSirMacMgmtHdr     pHdr;
               tANI_U8 Oui[] = { 0x00, 0x00, 0xf0 };
 
-              pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo);
+		if(frameLen < sizeof(*pVendorSpecific)) {
+			limLog(pMac, LOGE,
+			       FL("frame len %d less than Vendor Specific Hdr len"), frameLen);
+			break;
+		  }
 
               //Check if it is a vendor specific action frame.
               if ((eLIM_STA_ROLE == psessionEntry->limSystemRole) &&
@@ -2510,11 +2519,8 @@ limProcessActionFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,tpPESession ps
             {
               tpSirMacVendorSpecificPublicActionFrameHdr pPubAction = (tpSirMacVendorSpecificPublicActionFrameHdr) pActionHdr;
               tANI_U8 P2POui[] = { 0x50, 0x6F, 0x9A, 0x09 };
-	      tANI_U32 frameLen;
-
-	      frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
 
-	      if (frameLen < sizeof(pActionHdr)) {
+	      if (frameLen < sizeof(*pActionHdr)) {
 			limLog(pMac, LOG1,
 				FL("Received action frame of invalid len %d"),
 				frameLen);
@@ -2647,9 +2653,16 @@ limProcessActionFrameNoSession(tpAniSirGlobal pMac, tANI_U8 *pBd)
 {
    tANI_U8 *pBody = WDA_GET_RX_MPDU_DATA(pBd);
    tpSirMacVendorSpecificPublicActionFrameHdr pActionHdr = (tpSirMacVendorSpecificPublicActionFrameHdr) pBody;
+   tANI_U32 frameLen = WDA_GET_RX_PAYLOAD_LEN(pBd);
 
    limLog( pMac, LOG1, "Received a Action frame -- no session");
 
+   if (frameLen < sizeof(*pActionHdr)) {
+	limLog(pMac, LOGE,
+	      FL("Received action frame of invalid len %d"), frameLen);
+	return;
+   }
+
    switch ( pActionHdr->category )
    {
       case SIR_MAC_ACTION_PUBLIC_USAGE:
@@ -2657,16 +2670,6 @@ limProcessActionFrameNoSession(tpAniSirGlobal pMac, tANI_U8 *pBd)
             case SIR_MAC_ACTION_VENDOR_SPECIFIC:
               {
                 tANI_U8 P2POui[] = { 0x50, 0x6F, 0x9A, 0x09 };
-		tANI_U32 frameLen;
-
-		frameLen = WDA_GET_RX_PAYLOAD_LEN(pBd);
-
-		if (frameLen < sizeof(pActionHdr)) {
-			limLog(pMac, LOG1,
-				FL("Received action frame of invalid len %d"),
-				frameLen);
-			break;
-		}
 
                 //Check if it is a P2P public action frame.
                 if (vos_mem_compare(pActionHdr->Oui, P2POui, 4))
author	sheenam monga <shebala@codeaurora.org>	2020-02-05 16:29:23 +0530
committer	Jeferson Oliveira <jroliveira.oliveira301@gmail.com>	2021-08-17 21:04:39 +0200
commit	db08f100dff9c3dc2faec418068e75c7ce1f8963 (patch)
tree	553a82aa1b4a6db07199a2c06770e9f4f7f87a28
parent	a05b778d43e43072e97363f0773d20c3635ddef8 (diff)