qcacld-3.0: Avoid OOB read in sch_get_csa_ecsa_count_offset

Avoid OOB read in sch_get_csa_ecsa_count_offset API by
adding check for ie_len before subtracting element ID len
from it.

Change-Id: Id86e69b2c5abc37a4f33125dc5fd0bd1d92f64a7
CRs-Fixed: 3049251

1 files changed, 5 insertions, 2 deletions

diff --git a/core/mac/src/pe/sch/sch_beacon_gen.c b/core/mac/src/pe/sch/sch_beacon_gen.c
index 511b07cf699f..e037e45c9faa 100644
--- a/core/mac/src/pe/sch/sch_beacon_gen.c
+++ b/core/mac/src/pe/sch/sch_beacon_gen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -156,7 +156,7 @@ sch_append_addn_ie(tpAniSirGlobal mac_ctx, tpPESession session,
 
 /**
  * sch_get_csa_ecsa_count_offset() - get the offset of Switch count field
- * @ie: pointer to the beggining of IEs in the beacon frame buffer
+ * @ie: pointer to the beginning of IEs in the beacon frame buffer
  * @ie_len: length of the IEs in the buffer
  * @csa_count_offset: pointer to the csa_count_offset variable in the caller
  * @ecsa_count_offset: pointer to the ecsa_count_offset variable in the caller
@@ -195,6 +195,9 @@ static void sch_get_csa_ecsa_count_offset(uint8_t *ie, uint32_t ie_len,
 			*ecsa_count_offset = offset +
 					SCH_ECSA_SWITCH_COUNT_OFFSET;
 
+		if (ie_len < elem_len)
+			return;
+
 		ie_len -= elem_len;
 		offset += elem_len;
 		ptr += (elem_len + 2);