diff options
| author | Jianmin Zhu <jianminz@codeaurora.org> | 2018-07-18 15:30:24 +0800 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-07-30 10:41:54 -0700 |
| commit | 76a584159a9ebc47d3a994879ce19ca025fdb481 (patch) | |
| tree | c9860300196e5ba10693f872439871e1d32dc786 | |
| parent | 96bd0d8937b05f3a20f0e23d85ebd7d174d9585e (diff) | |
qcacld-3.0: Avoid buffer overflow when process SA query action frame
No frame length check when extract 11w transaction id from SA
query request and response action frame, if frame length is
shorter than expected, buffer overflow will happen
Change-Id: Iddefa809023da244564cfd227ccfe8c2de5717c0
CRs-Fixed: 2263320
| -rw-r--r-- | core/mac/src/pe/lim/lim_process_action_frame.c | 21 |
1 files changed, 17 insertions, 4 deletions
diff --git a/core/mac/src/pe/lim/lim_process_action_frame.c b/core/mac/src/pe/lim/lim_process_action_frame.c index a70c1a7dfdf0..2153e605690f 100644 --- a/core/mac/src/pe/lim/lim_process_action_frame.c +++ b/core/mac/src/pe/lim/lim_process_action_frame.c @@ -48,6 +48,7 @@ #include "cds_concurrency.h" #include "wma_types.h" #include "wma.h" +#include "dot11f.h" #define BA_DEFAULT_TX_BUFFER_SIZE 64 @@ -1452,6 +1453,7 @@ static void __lim_process_sa_query_request_action_frame(tpAniSirGlobal pMac, { tpSirMacMgmtHdr pHdr; uint8_t *pBody; + uint32_t frame_len; uint8_t transId[2]; /* Prima --- Below Macro not available in prima @@ -1460,7 +1462,12 @@ static void __lim_process_sa_query_request_action_frame(tpAniSirGlobal pMac, pHdr = WMA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WMA_GET_RX_MPDU_DATA(pRxPacketInfo); + frame_len = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); + if (frame_len < sizeof(struct sDot11fSaQueryReq)) { + pe_err("Invalid frame length"); + return; + } /* If this is an unprotected SA Query Request, then ignore it. */ if (pHdr->fc.wep == 0) return; @@ -1512,7 +1519,7 @@ static void __lim_process_sa_query_response_action_frame(tpAniSirGlobal pMac, tpPESession psessionEntry) { tpSirMacMgmtHdr pHdr; - uint32_t frameLen; + uint32_t frame_len; uint8_t *pBody; tpDphHashNode pSta; uint16_t aid; @@ -1520,16 +1527,22 @@ static void __lim_process_sa_query_response_action_frame(tpAniSirGlobal pMac, uint8_t retryNum; pHdr = WMA_GET_RX_MAC_HEADER(pRxPacketInfo); - frameLen = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); + frame_len = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); pBody = WMA_GET_RX_MPDU_DATA(pRxPacketInfo); pe_debug("SA Query Response received"); + if (frame_len < sizeof(struct sDot11fSaQueryRsp)) { + pe_err("Invalid frame length"); + return; + } /* When a station, supplicant handles SA Query Response. * Forward to SME to HDD to wpa_supplicant. */ if (LIM_IS_STA_ROLE(psessionEntry)) { - lim_send_sme_mgmt_frame_ind(pMac, pHdr->fc.subType, (uint8_t *) pHdr, - frameLen + sizeof(tSirMacMgmtHdr), 0, + lim_send_sme_mgmt_frame_ind(pMac, pHdr->fc.subType, + (uint8_t *)pHdr, + frame_len + sizeof(tSirMacMgmtHdr), + 0, WMA_GET_RX_CH(pRxPacketInfo), psessionEntry, WMA_GET_RX_RSSI_NORMALIZED( |