diff options
| author | tinlin <tinlin@codeaurora.org> | 2018-10-16 14:06:21 +0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-10-23 18:57:49 -0700 |
| commit | 51491603216f8ea76dd46439977edda6d9b179e8 (patch) | |
| tree | 58e706b527afcafe23b7f3c2b94ed9d00af4a520 | |
| parent | ca2722a14d1d8828a51e2592df3fa3f757af7290 (diff) | |
qcacld-2.0: Fix out-of-bounds access in limProcessAssocReqFrame
Propagation from cld3.0 to cld2.0.
Currently the function limProcessAssocReqFrame uses framelen
without validation to parse the IE buffer which could lead to
out-of-bounds memory access if the framelen is less than or
equal to LIM_ASSOC_REQ_IE_OFFSET(4).
Add check to validate the frame_len with LIM_ASSOC_REQ_IE_OFFSET
before sending frame_len - LIM_ASSOC_REQ_IE_OFFSET to
cfg_get_vendor_ie_ptr_from_oui to parse the only IE buffer.
Change-Id: Iaa9e8db4a2605169c9ad3904878a2e626eb6de8b
CRs-Fixed: 2333905
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c b/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c index de363a4eb3d6..e20b7aac7c79 100644 --- a/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c +++ b/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c @@ -384,6 +384,11 @@ limProcessAssocReqFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, if ((psessionEntry->access_policy_vendor_ie) && (psessionEntry->access_policy == LIM_ACCESS_POLICY_RESPOND_IF_IE_IS_PRESENT)) { + if (framelen <= LIM_ASSOC_REQ_IE_OFFSET) { + limLog(pMac, LOGE, FL("Receive action frame of invalid len %d"), + framelen); + return; + } if (!cfg_get_vendor_ie_ptr_from_oui(pMac, &psessionEntry->access_policy_vendor_ie[2], 3, pBody + LIM_ASSOC_REQ_IE_OFFSET, |