diff options
| author | tinlin <tinlin@codeaurora.org> | 2018-10-16 15:28:39 +0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-10-23 19:06:49 -0700 |
| commit | f82f504528b7fcb97a2dc20bff2813e3cc9ff169 (patch) | |
| tree | 42159b91ddf9c04e45af0dcfd26f2885d3209bfc | |
| parent | 071352ee12ba1f1dac8c11b021b60dc2e959b66f (diff) | |
qcacld-2.0: Fix possible OOB access in limProcessDisassocFrame
Propagation from cld3.0 to cld2.0.
Reason code is extracted from frame data without validating
frame len which could result in out of bound access.
Fix is to validate frame len before extracting reason
code from frame data.
Change-Id: I00795a806abcae903dd0daa019aeab990aedc3a7
CRs-Fixed: 2333989
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessDisassocFrame.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c b/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c index 7f8d5658a522..26bd868241db 100644 --- a/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c +++ b/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c @@ -77,14 +77,16 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession tpSirMacMgmtHdr pHdr; tpDphHashNode pStaDs; tLimMlmDisassocInd mlmDisassocInd; -#ifdef WLAN_FEATURE_11W + tANI_U32 frameLen; +#ifdef WLAN_FEATURE_11W bool need_ind_uplayer = true; #endif int8_t frame_rssi; pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo); + frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); frame_rssi = (int8_t)WDA_GET_RX_RSSI_NORMALIZED(pRxPacketInfo); if (limIsGroupAddr(pHdr->sa)) @@ -126,6 +128,10 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession return; } + if (frameLen < 2) { + PELOGE(limLog(pMac, LOGE, FL("frame len less than 2"));) + return; + } // Get reasonCode from Disassociation frame body reasonCode = sirReadU16(pBody); @@ -150,7 +156,6 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession PELOGE(limLog(pMac, LOGE, FL("received an unprotected disassoc from AP"));) // If the frame received is unprotected, forward it to the supplicant to initiate // an SA query - frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); //send the unprotected frame indication to SME limSendSmeUnprotectedMgmtFrameInd(pMac, pHdr->fc.subType, (tANI_U8*)pHdr, (frameLen + sizeof(tSirMacMgmtHdr)), |