diff options
| author | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | 2018-06-25 18:26:26 +0530 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-06-28 08:13:57 -0700 |
| commit | e2ec5bac940df9a5e64f36c6d1c08bdcf45c2e22 (patch) | |
| tree | ba982206fb0b84f06694ef974042e783f31eba9c /core/mac/src | |
| parent | af893a81497b4ce357957f1e4de4c493247406af (diff) | |
qcacld-3.0: Fix possible heap overflow in lim_update_ext_cap_ie
In the function lim_process_set_default_scan_ie_request, memory
of MAX_DEFAULT_SCAN_IE_LEN (2048) is allocated for local_ie_buf.
This local_ie_buf accommodates the ie data and also the ext
capabilities. If the local_ie_len, that is used to copy the
ie_data to local_ie_buf is greater than
MAX_DEFAULT_SCAN_IE_LEN(2048) - (DOT11F_IE_EXTCAP_MAX_LEN(15) +
EXT_CAP_IE_HDR_LEN(2)), then heap overflow could occur.
Validate the MAX_DEFAULT_SCAN_IE_LEN against the difference
between MAX_DEFAULT_SCAN_IE_LEN and sum of EXT_CAP_IE_HDR_LEN
and DOT11F_IE_EXTCAP_MAX_LEN.
Change-Id: Id2f950440d69ddb09090643f8a426061c0d336c3
CRs-Fixed: 2231300
Diffstat (limited to 'core/mac/src')
| -rw-r--r-- | core/mac/src/pe/lim/lim_api.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/core/mac/src/pe/lim/lim_api.c b/core/mac/src/pe/lim/lim_api.c index c71929ede3ac..c14be9b74fd8 100644 --- a/core/mac/src/pe/lim/lim_api.c +++ b/core/mac/src/pe/lim/lim_api.c @@ -2487,6 +2487,11 @@ QDF_STATUS lim_update_ext_cap_ie(tpAniSirGlobal mac_ctx, return QDF_STATUS_E_FAILURE; } + if ((*local_ie_len) > (MAX_DEFAULT_SCAN_IE_LEN - EXT_CAP_IE_HDR_LEN)) { + pe_err("Invalid Scan IE length"); + return QDF_STATUS_E_FAILURE; + } + /* copy ie prior to ext cap to local buffer */ qdf_mem_copy(local_ie_buf, ie_data, (*local_ie_len)); @@ -2503,6 +2508,11 @@ QDF_STATUS lim_update_ext_cap_ie(tpAniSirGlobal mac_ctx, pe_err("Failed %d to create ext cap IE. Use default value instead", status); local_ie_buf[*local_ie_len + 1] = DOT11F_IE_EXTCAP_MAX_LEN; + if ((*local_ie_len) > (MAX_DEFAULT_SCAN_IE_LEN - + (DOT11F_IE_EXTCAP_MAX_LEN + EXT_CAP_IE_HDR_LEN))) { + pe_err("Invalid Scan IE length"); + return QDF_STATUS_E_FAILURE; + } (*local_ie_len) += EXT_CAP_IE_HDR_LEN; qdf_mem_copy(local_ie_buf + (*local_ie_len), default_scan_ext_cap.bytes, @@ -2512,6 +2522,12 @@ QDF_STATUS lim_update_ext_cap_ie(tpAniSirGlobal mac_ctx, } lim_merge_extcap_struct(&driver_ext_cap, &default_scan_ext_cap, true); local_ie_buf[*local_ie_len + 1] = driver_ext_cap.num_bytes; + + if ((*local_ie_len) > (MAX_DEFAULT_SCAN_IE_LEN - + (EXT_CAP_IE_HDR_LEN + driver_ext_cap.num_bytes))) { + pe_err("Invalid Scan IE length"); + return QDF_STATUS_E_FAILURE; + } (*local_ie_len) += EXT_CAP_IE_HDR_LEN; qdf_mem_copy(local_ie_buf + (*local_ie_len), driver_ext_cap.bytes, driver_ext_cap.num_bytes); |