qcacld-3.0: Fix possible OOB access in lim_process_auth_frame

Key id is extracted from data buffer without validating len of data which could result in out of bound access. Fix is to validate frame len before extracting key id from data buffer. Change-Id: I1f4d88b7ca6201f03a6bc8e6915f1479f571838f CRs-Fixed: 2254141
author: Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org> 2018-06-07 14:58:29 +0530
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2018-06-19 22:46:00 -0700
commit: d3d8ffffc91a8665f6103784bfff5bb4bec56891 (patch)
tree: 478f3469ea79039696f745ba325ab6db278be38e /core/mac/src
parent: 50b43217b7c91df9327b076aacaf4914262c8e11 (diff)
1 files changed, 9 insertions, 0 deletions
diff --git a/core/mac/src/pe/lim/lim_process_auth_frame.c b/core/mac/src/pe/lim/lim_process_auth_frame.c
index 1b370aef0cf0..8948bda446af 100644
--- a/core/mac/src/pe/lim/lim_process_auth_frame.c
+++ b/core/mac/src/pe/lim/lim_process_auth_frame.c
@@ -1176,6 +1176,10 @@ lim_process_auth_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info,
 
 	body_ptr = WMA_GET_RX_MPDU_DATA(rx_pkt_info);
 
+	if (frame_len < 2) {
+		pe_err("invalid frame len: %d", frame_len);
+		return;
+	}
 	auth_alg = *(uint16_t *) body_ptr;
 	pe_debug("auth_alg %d ", auth_alg);
 
@@ -1224,6 +1228,11 @@ lim_process_auth_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info,
 					mac_hdr->sa, pe_session, false);
 			goto free;
 		}
+
+		if (frame_len < 4) {
+			pe_err("invalid frame len: %d", frame_len);
+			goto free;
+		}
 		/* Extract key ID from IV (most 2 bits of 4th byte of IV) */
 		key_id = (*(body_ptr + 3)) >> 6;
author	Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org>	2018-06-07 14:58:29 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2018-06-19 22:46:00 -0700
commit	d3d8ffffc91a8665f6103784bfff5bb4bec56891 (patch)
tree	478f3469ea79039696f745ba325ab6db278be38e /core/mac/src
parent	50b43217b7c91df9327b076aacaf4914262c8e11 (diff)