qcacld-3.0: Prevent possible OOB access in hdd_sendactionframe

In the function hdd_sendactionframe, the parameters passed include the payload and the corresponding payload length; payload being generic pointer. The payload is then typecasted into the destination structure of type tpSirMacVendorSpecificFrameHdr. If the size of the payload specified in payload_len is less than the size of the destination structure, there is possiblility of OOB read while accessing the same. To prevent this security vulnerability, add a sanity check for the payload_len against the size of the destination structure. Change-Id: Ib0e7b7bfcf78412d81f18cf887e5296d80272598 CRs-Fixed: 2517858
author: Sourav Mohapatra <mohapatr@codeaurora.org> 2019-09-05 14:34:19 +0530
committer: nshrivas <nshrivas@codeaurora.org> 2019-10-15 22:52:34 -0700
commit: fc1186cfcb3647633bb76afa9b7fd6ef7b317c2c (patch)
tree: 9fe6bfc0025a45afe69629dca855e8cc291ebe9f
parent: d5c2ff6edbe9ebc7e4d3f486a9a30dd865ba65c1 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_ioctl.c b/core/hdd/src/wlan_hdd_ioctl.c
index 207d48b91468..3d0418a5ca23 100644
--- a/core/hdd/src/wlan_hdd_ioctl.c
+++ b/core/hdd/src/wlan_hdd_ioctl.c
@@ -1055,6 +1055,11 @@ hdd_sendactionframe(hdd_adapter_t *adapter, const uint8_t *bssid,
 	struct cfg80211_mgmt_tx_params params;
 #endif
 
+	if (payload_len < sizeof(tSirMacVendorSpecificFrameHdr)) {
+		hdd_warn("Invalid payload length: %d", payload_len);
+		return -EINVAL;
+	}
+
 	if (QDF_STA_MODE != adapter->device_mode) {
 		hdd_warn("Unsupported in mode %s(%d)",
 			 hdd_device_mode_to_string(adapter->device_mode),
author	Sourav Mohapatra <mohapatr@codeaurora.org>	2019-09-05 14:34:19 +0530
committer	nshrivas <nshrivas@codeaurora.org>	2019-10-15 22:52:34 -0700
commit	fc1186cfcb3647633bb76afa9b7fd6ef7b317c2c (patch)
tree	9fe6bfc0025a45afe69629dca855e8cc291ebe9f
parent	d5c2ff6edbe9ebc7e4d3f486a9a30dd865ba65c1 (diff)