From 2420687607fbd5e7d06e4eae7b2311d80145f67d Mon Sep 17 00:00:00 2001 From: Vignesh Viswanathan Date: Thu, 14 Sep 2017 20:03:26 +0530 Subject: qcacld-2.0: Fix out-of-bounds access in limProcessActionFrameNoSession Currently in the function limProcessActionFrameNoSession, mem_cmp is done on the received frame pointer without validating the frame_len which could lead to out-of-bounds memory access if the frame_len is not matching the size of action_hdr. Add check to validate the frame_len with action_hdr size before doing mem_cmp for the p2p oui. Change-Id: I39329d1a9ef45614d3c617db11a7a7f5ec2aaaec CRs-Fixed: 2109967 --- CORE/MAC/src/pe/lim/limProcessActionFrame.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/CORE/MAC/src/pe/lim/limProcessActionFrame.c b/CORE/MAC/src/pe/lim/limProcessActionFrame.c index ae31f9d90acc..0e0440310903 100644 --- a/CORE/MAC/src/pe/lim/limProcessActionFrame.c +++ b/CORE/MAC/src/pe/lim/limProcessActionFrame.c @@ -1888,6 +1888,12 @@ limProcessActionFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,tpPESession ps pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo); frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); + if (frameLen < sizeof(pPubAction)) { + limLog(pMac, LOG1, + FL("Received action frame of invalid len %d"), frameLen); + break; + } + //Check if it is a P2P public action frame. if (vos_mem_compare(pPubAction->Oui, P2POui, 4)) { @@ -2068,6 +2074,12 @@ limProcessActionFrameNoSession(tpAniSirGlobal pMac, tANI_U8 *pBd) pHdr = WDA_GET_RX_MAC_HEADER(pBd); frameLen = WDA_GET_RX_PAYLOAD_LEN(pBd); + if (frameLen < sizeof(pActionHdr)) { + limLog(pMac, LOG1, + FL("Received action frame of invalid len %d"), frameLen); + break; + } + //Check if it is a P2P public action frame. if (vos_mem_compare(pActionHdr->Oui, P2POui, 4)) { -- cgit v1.2.3