From c184d962cdb0832bb227da40710dd50e521cd99e Mon Sep 17 00:00:00 2001 From: Abhinav Kumar Date: Wed, 20 Jun 2018 15:02:00 +0530 Subject: qcacld-3.0: Fix out-of-bounds access in lim_process_assoc_req_frame Currently the function lim_process_assoc_req_frame uses frame_len without validation to parse the IE buffer which could lead to out-of-bounds memory access if the frame_len is less than or equal to LIM_ASSOC_REQ_IE_OFFSET(4). Add check to validate the frame_len with LIM_ASSOC_REQ_IE_OFFSET before sending frame_len - LIM_ASSOC_REQ_IE_OFFSET to cfg_get_vendor_ie_ptr_from_oui to parse the only IE buffer. Change-Id: Iaa9e8db4a2605169c9ad3904878a2e626eb6de8b CRs-Fixed: 2259707 --- core/mac/src/pe/lim/lim_process_assoc_req_frame.c | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'core/mac/src') diff --git a/core/mac/src/pe/lim/lim_process_assoc_req_frame.c b/core/mac/src/pe/lim/lim_process_assoc_req_frame.c index eb1b8c7d1af9..661d8e395bf1 100644 --- a/core/mac/src/pe/lim/lim_process_assoc_req_frame.c +++ b/core/mac/src/pe/lim/lim_process_assoc_req_frame.c @@ -1841,6 +1841,11 @@ void lim_process_assoc_req_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info, if ((session->access_policy_vendor_ie) && (session->access_policy == LIM_ACCESS_POLICY_RESPOND_IF_IE_IS_PRESENT)) { + if (frame_len <= LIM_ASSOC_REQ_IE_OFFSET) { + pe_debug("Received action frame of invalid len %d", + frame_len); + return; + } if (!cfg_get_vendor_ie_ptr_from_oui(mac_ctx, &session->access_policy_vendor_ie[2], 3, frm_body + LIM_ASSOC_REQ_IE_OFFSET, -- cgit v1.2.3