diff options
| author | gaurank kathpalia <gkathpal@codeaurora.org> | 2018-10-25 20:23:12 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-11-04 01:36:53 -0700 |
| commit | a124690bb86ca389452e54d640d0849fb28c8c3d (patch) | |
| tree | eb62bd2782ce87391306d1d791f01015f2bd2643 | |
| parent | b129d024878f9bf05884692ca6fcbaee9a0823b7 (diff) | |
qcacld-2.0: Fix OOB read in limProcessDeauthFrame
Propagation from cld3.0 to cld2.0
In the API limProcessDeauthFrame, the reason-code is
fetched from the payload, and it may happen that the
payload received is empty, and the MPDU just contains the
header, so the driver may access the memory not allocated
to the frame, thus resulting in a OOB read.
Fix is to have a min length check of 16 bits for the
reason code before accessing it.
Change-Id: I7e7a435ba049356c13fb10240f4abb9bf6219af4
CRs-Fixed: 2338742
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessDeauthFrame.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c b/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c index e20aa3770c2b..21f73925cebe 100644 --- a/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c +++ b/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c @@ -80,9 +80,9 @@ limProcessDeauthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession p tpPESession pRoamSessionEntry=NULL; tANI_U8 roamSessionId; #ifdef WLAN_FEATURE_11W - tANI_U32 frameLen; bool need_ind_uplayer = true; #endif + tANI_U32 frameLen; int8_t frame_rssi; pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo); @@ -90,6 +90,13 @@ limProcessDeauthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession p pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo); frame_rssi = (int8_t)WDA_GET_RX_RSSI_NORMALIZED(pRxPacketInfo); + frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); + if (frameLen < sizeof(reasonCode)) { + PELOGE(limLog(pMac, LOGE, + FL("Invalid framelen received %d"), frameLen);) + return; + } + if (LIM_IS_STA_ROLE(psessionEntry) && ((eLIM_SME_WT_DISASSOC_STATE == psessionEntry->limSmeState) || (eLIM_SME_WT_DEAUTH_STATE == psessionEntry->limSmeState))) @@ -161,7 +168,6 @@ limProcessDeauthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession p PELOGE(limLog(pMac, LOGE, FL("received an unprotected deauth from AP"));) // If the frame received is unprotected, forward it to the supplicant to initiate // an SA query - frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); //send the unprotected frame indication to SME limSendSmeUnprotectedMgmtFrameInd(pMac, pHdr->fc.subType, |