diff options
| author | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | 2019-12-10 17:07:31 +0530 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2019-12-10 08:03:54 -0800 |
| commit | eceb6d0aeeaf730e11cb2bf08c8054b700bc1cc9 (patch) | |
| tree | 65a1ac02f4a04f88d9859e9c7f37ccb0d5e196c2 | |
| parent | 7c996700d20df7b3175cbcee7567bb5ad951f8d7 (diff) | |
qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies()
In rrm_fill_beacon_ies(), the len is the total length of
IE + 2 bytes for element ID (1 byte) and length of the
IE(1 byte). Length is defined of type uint8_t and can have
only values upto 255. When the IE content length is 254,
adding 2 bytes to this will cause the len to overflow
resulting in continuous loop in rrm_fill_beacon_ies.
Change the len type to uint16_t to avoid integer overflow.
Change-Id: Id6a6bcce150f778e24316ccc5fb51c6e2a95fc5e
CRs-Fixed: 2537774
| -rw-r--r-- | core/mac/src/pe/rrm/rrm_api.c | 41 |
1 files changed, 16 insertions, 25 deletions
diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c index e001fbbb26fb..45f0a9dfe234 100644 --- a/core/mac/src/pe/rrm/rrm_api.c +++ b/core/mac/src/pe/rrm/rrm_api.c @@ -681,28 +681,19 @@ rrm_process_beacon_report_req(tpAniSirGlobal pMac, return eRRM_SUCCESS; } -/* -------------------------------------------------------------------- */ /** - * rrm_fill_beacon_ies - * - * FUNCTION: - * - * LOGIC: Fills Fixed fields and Ies in bss description to an array of uint8_t. - * - * ASSUMPTIONS: - * - * NOTE: - * - * @param pIes - pointer to the buffer that should be populated with ies. - * @param pNumIes - returns the num of ies filled in this param. - * @param pIesMaxSize - Max size of the buffer pIes. - * @param eids - pointer to array of eids. If NULL, all ies will be populated. - * @param numEids - number of elements in array eids. - * @start_offset: Offset from where the IEs in the bss_desc should be parsed - * @param pBssDesc - pointer to Bss Description. - * - * Returns: Remaining length of IEs in current bss_desc which are not included - * in pIes. + * rrm_fill_beacon_ies() - Fills Fixed fields and Ies in bss description to an + * array of uint8_t. + * @pIes - pointer to the buffer that should be populated with ies. + * @pNumIes - returns the num of ies filled in this param. + * @pIesMaxSize - Max size of the buffer pIes. + * @eids - pointer to array of eids. If NULL, all ies will be populated. + * @numEids - number of elements in array eids. + * @offset: Offset from where the IEs in the bss_desc should be parsed + * @pBssDesc - pointer to Bss Description. + * + * Return: Remaining length of IEs in current bss_desc which are not included + * in pIes. */ static uint8_t rrm_fill_beacon_ies(tpAniSirGlobal pMac, @@ -710,8 +701,8 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac, uint8_t *eids, uint8_t numEids, uint8_t start_offset, tpSirBssDescription pBssDesc) { - uint8_t len, *pBcnIes, count = 0, i; - uint16_t BcnNumIes, total_ies_len; + uint8_t *pBcnIes, count = 0, i; + uint16_t BcnNumIes, total_ies_len, len; uint8_t rem_len = 0; if ((pIes == NULL) || (pNumIes == NULL) || (pBssDesc == NULL)) { @@ -760,8 +751,8 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac, pe_debug("EID = %d, len = %d total = %d", *pBcnIes, *(pBcnIes + 1), len); - if (!len) { - pe_err("Invalid length"); + if (len <= 2) { + pe_err("RRM: Invalid IE"); break; } |