diff options
| author | Vignesh Viswanathan <viswanat@codeaurora.org> | 2017-12-20 19:58:58 +0530 |
|---|---|---|
| committer | snandini <snandini@codeaurora.org> | 2017-12-20 23:10:28 -0800 |
| commit | 81c5cbd187d4ddbd992d8ecee1ecb5029b2ea74a (patch) | |
| tree | bdc78b06f3d5283ac50fa86d4d45a6f5523ec076 | |
| parent | 7ad52ca132fb78ab803f11dce030065474b6bb6b (diff) | |
qcacld-3.0: Fix potential OOB read in lim_parse_kde_elements
In function lim_parse_kde_elements, while parsing the KDE list from
the assoc response frame, elem_len is obtained from the frame buffer.
elem_len is then used to find the matching OUI for KDE OUI type and
then to calculate data_len based on the offset for the GTK/IGTK data
types.
If the value in elem_len field in the frame is less than the Data
Offset (which includes the OUI and data type) or the GTK/IGTK offset
then a OOB read would occur.
Add checks to validate the elem_len with Data offset and then with
the GTK/IGTK offset based on the data type.
Change-Id: I8ae31c6d6c28e88ad9bda757b3f1ff2585f8a553
CRs-Fixed: 2161920
| -rw-r--r-- | core/mac/src/pe/lim/lim_process_fils.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/core/mac/src/pe/lim/lim_process_fils.c b/core/mac/src/pe/lim/lim_process_fils.c index 7ee3b4aa1ec7..c2d6f966b0d5 100644 --- a/core/mac/src/pe/lim/lim_process_fils.c +++ b/core/mac/src/pe/lim/lim_process_fils.c @@ -1352,6 +1352,12 @@ static QDF_STATUS lim_parse_kde_elements(tpAniSirGlobal mac_ctx, return QDF_STATUS_E_FAILURE; } + if (elem_len < KDE_IE_DATA_OFFSET) { + pe_err("Not enough len to parse elem_len %d", + elem_len); + return QDF_STATUS_E_FAILURE; + } + if (lim_check_if_vendor_oui_match(mac_ctx, KDE_OUI_TYPE, KDE_OUI_TYPE_SIZE, current_ie, elem_len)) { @@ -1361,6 +1367,11 @@ static QDF_STATUS lim_parse_kde_elements(tpAniSirGlobal mac_ctx, switch (data_type) { case DATA_TYPE_GTK: + if (data_len < GTK_OFFSET) { + pe_err("Invalid KDE data_len %d", + data_len); + return QDF_STATUS_E_FAILURE; + } qdf_mem_copy(fils_info->gtk, (ie_data + GTK_OFFSET), (data_len - GTK_OFFSET)); @@ -1368,6 +1379,11 @@ static QDF_STATUS lim_parse_kde_elements(tpAniSirGlobal mac_ctx, break; case DATA_TYPE_IGTK: + if (data_len < IGTK_OFFSET) { + pe_err("Invalid KDE data_len %d", + data_len); + return QDF_STATUS_E_FAILURE; + } fils_info->igtk_len = (data_len - IGTK_OFFSET); qdf_mem_copy(fils_info->igtk, (ie_data + IGTK_OFFSET), (data_len - |
