qcacld-3.0: Fix out-of-bounds access in lim_process_assoc_req_frame

Currently the function lim_process_assoc_req_frame uses frame_len without validation to parse the IE buffer which could lead to out-of-bounds memory access if the frame_len is less than or equal to LIM_ASSOC_REQ_IE_OFFSET(4). Add check to validate the frame_len with LIM_ASSOC_REQ_IE_OFFSET before sending frame_len - LIM_ASSOC_REQ_IE_OFFSET to cfg_get_vendor_ie_ptr_from_oui to parse the only IE buffer. Change-Id: Iaa9e8db4a2605169c9ad3904878a2e626eb6de8b CRs-Fixed: 2259707
author: Abhinav Kumar <abhikuma@codeaurora.org> 2018-06-20 15:02:00 +0530
committer: nshrivas <nshrivas@codeaurora.org> 2018-06-28 08:14:00 -0700
commit: c184d962cdb0832bb227da40710dd50e521cd99e (patch)
tree: 53531037f9fd63fa256cdffaaf1a2c637706080b /core
parent: e2ec5bac940df9a5e64f36c6d1c08bdcf45c2e22 (diff)
1 files changed, 5 insertions, 0 deletions
diff --git a/core/mac/src/pe/lim/lim_process_assoc_req_frame.c b/core/mac/src/pe/lim/lim_process_assoc_req_frame.c
index eb1b8c7d1af9..661d8e395bf1 100644
--- a/core/mac/src/pe/lim/lim_process_assoc_req_frame.c
+++ b/core/mac/src/pe/lim/lim_process_assoc_req_frame.c
@@ -1841,6 +1841,11 @@ void lim_process_assoc_req_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info,
 	if ((session->access_policy_vendor_ie) &&
 		(session->access_policy ==
 		LIM_ACCESS_POLICY_RESPOND_IF_IE_IS_PRESENT)) {
+		if (frame_len <= LIM_ASSOC_REQ_IE_OFFSET) {
+			pe_debug("Received action frame of invalid len %d",
+				 frame_len);
+			return;
+		}
 		if (!cfg_get_vendor_ie_ptr_from_oui(mac_ctx,
 			&session->access_policy_vendor_ie[2],
 			3, frm_body + LIM_ASSOC_REQ_IE_OFFSET,
author	Abhinav Kumar <abhikuma@codeaurora.org>	2018-06-20 15:02:00 +0530
committer	nshrivas <nshrivas@codeaurora.org>	2018-06-28 08:14:00 -0700
commit	c184d962cdb0832bb227da40710dd50e521cd99e (patch)
tree	53531037f9fd63fa256cdffaaf1a2c637706080b /core
parent	e2ec5bac940df9a5e64f36c6d1c08bdcf45c2e22 (diff)