qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies()

In function rrm_fill_beacon_ies, the total IE length is calculated as sum of length field of the IE and 2 (element id 1 byte and IE length field 1 byte). The total IE length is defined of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe. Validate the len against total IE length to avoid overflow. Bug: 155653491 Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88 CRs-Fixed: 2573329
author: Pragaspathi Thilagaraj <tpragasp@codeaurora.org> 2020-01-29 15:38:50 +0530
committer: Isaac Chiou <isaacchiou@google.com> 2020-05-18 14:43:04 +0800
commit: fa4f0754b2f8e2f1712abe3f0f835b024e769b13 (patch)
tree: 89d4e8ec24bb53caba3a6675533d9bf5b3e37b7c
parent: 725e65c70af7878f9cfdf779ce53bf93fd0e8a5b (diff)
download: qcacld-fa4f0754b2f8e2f1712abe3f0f835b024e769b13.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c
index 3ca467f57b..d7d789542b 100644
--- a/core/mac/src/pe/rrm/rrm_api.c
+++ b/core/mac/src/pe/rrm/rrm_api.c
@@ -722,10 +722,17 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac,
 	pIes += sizeof(uint16_t);
 
 	while (BcnNumIes > 0) {
-		len = *(pBcnIes + 1) + 2;       /* element id + length. */
+		len = *(pBcnIes + 1);
+		len += 2;       /* element id + length. */
 		pe_debug("EID = %d, len = %d total = %d",
 			*pBcnIes, *(pBcnIes + 1), len);
 
+		if (BcnNumIes < len) {
+			pe_err("RRM: Invalid IE len:%d exp_len:%d",
+			       len, BcnNumIes);
+			break;
+		}
+
 		i = 0;
 		do {
 			if (((eids == NULL) || (*pBcnIes == eids[i])) &&
author	Pragaspathi Thilagaraj <tpragasp@codeaurora.org>	2020-01-29 15:38:50 +0530
committer	Isaac Chiou <isaacchiou@google.com>	2020-05-18 14:43:04 +0800
commit	fa4f0754b2f8e2f1712abe3f0f835b024e769b13 (patch)
tree	89d4e8ec24bb53caba3a6675533d9bf5b3e37b7c
parent	725e65c70af7878f9cfdf779ce53bf93fd0e8a5b (diff)
download	qcacld-fa4f0754b2f8e2f1712abe3f0f835b024e769b13.tar.gz