From bf6a8da3af24a1156de797abc461544881cb5529 Mon Sep 17 00:00:00 2001 From: Qun Zhang Date: Wed, 13 Jun 2018 14:11:55 +0800 Subject: qcacld-2.0: Add check for min buffer length in find_ie_defn propagation from qcacld-3.0 to qcacld-2.0 In find_ie_defn function, if the current IE is an Ext IE with EID=255, the third byte of the IE is accessed to get the extn_eid. However, if the actual buffer length is less than 3, then an OOB read would occur while trying to access extn_eid. Add check to access pbuf + 2 for extn_eid only if nbuf is greater than 2. Change-Id: Id9708176affe35a85eb21a07901ae8ed62b78b9e CRs-Fixed: 2259637 --- CORE/MAC/src/include/dot11f.h | 2 +- CORE/SYS/legacy/src/utils/src/dot11f.c | 7 ++++--- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h index b3a61e23f4fa..95f2eb4630de 100644 --- a/CORE/MAC/src/include/dot11f.h +++ b/CORE/MAC/src/include/dot11f.h @@ -32,7 +32,7 @@ * \brief Structures, function prototypes & definitions * for working with 802.11 Frames * This file was automatically generated by 'framesc' - * Wed Jun 13 10:58:49 2018 from the following file(s): + * Wed Jun 13 13:53:03 2018 from the following file(s): * * dot11f.frms * diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c index b3cb14bae9c5..144c2d3ef627 100644 --- a/CORE/SYS/legacy/src/utils/src/dot11f.c +++ b/CORE/SYS/legacy/src/utils/src/dot11f.c @@ -30,7 +30,7 @@ * \brief Structures, functions & definitions for * working with 802.11 Frames * This file was automatically generated by 'framesc' - * Wed Jun 13 10:58:49 2018 from the following file(s): + * Wed Jun 13 13:53:03 2018 from the following file(s): * * dot11f.frms * @@ -455,8 +455,9 @@ static const tIEDefn* FindIEDefn(tpAniSirGlobal pCtx, if (*pBuf == pIe->eid) { if (pIe->eid == 0xff) { - if ((*(pBuf + 2)) == pIe->extn_eid) - return pIe; + if ((nBuf > 2) && + (*(pBuf + 2)) == pIe->extn_eid) + return pIe; } else { if (0 == pIe->noui) return pIe; -- cgit v1.2.3