diff options
author | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | 2020-01-29 15:38:50 +0530 |
---|---|---|
committer | Isaac Chiou <isaacchiou@google.com> | 2020-05-18 14:43:04 +0800 |
commit | fa4f0754b2f8e2f1712abe3f0f835b024e769b13 (patch) | |
tree | 89d4e8ec24bb53caba3a6675533d9bf5b3e37b7c | |
parent | 725e65c70af7878f9cfdf779ce53bf93fd0e8a5b (diff) | |
download | qcacld-fa4f0754b2f8e2f1712abe3f0f835b024e769b13.tar.gz |
qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies()
In function rrm_fill_beacon_ies, the total IE length is
calculated as sum of length field of the IE and 2 (element id 1
byte and IE length field 1 byte). The total IE length is defined
of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe.
Validate the len against total IE length to avoid overflow.
Bug: 155653491
Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2573329
-rw-r--r-- | core/mac/src/pe/rrm/rrm_api.c | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c index 3ca467f57b..d7d789542b 100644 --- a/core/mac/src/pe/rrm/rrm_api.c +++ b/core/mac/src/pe/rrm/rrm_api.c @@ -722,10 +722,17 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac, pIes += sizeof(uint16_t); while (BcnNumIes > 0) { - len = *(pBcnIes + 1) + 2; /* element id + length. */ + len = *(pBcnIes + 1); + len += 2; /* element id + length. */ pe_debug("EID = %d, len = %d total = %d", *pBcnIes, *(pBcnIes + 1), len); + if (BcnNumIes < len) { + pe_err("RRM: Invalid IE len:%d exp_len:%d", + len, BcnNumIes); + break; + } + i = 0; do { if (((eids == NULL) || (*pBcnIes == eids[i])) && |