diff options
author | Jyoti Kumari <jyotkuma@codeaurora.org> | 2021-01-29 12:59:07 +0530 |
---|---|---|
committer | Isaac Chiou <isaacchiou@google.com> | 2021-07-29 12:44:41 +0000 |
commit | 93bd2df200cde2c6c9494d6f5c0bac3822fb6401 (patch) | |
tree | 856fa0de683097fbccd0291cc90fc468ed3ae1f2 | |
parent | 187ef758e2e74f24d73997b2dfa5080d7031bfcc (diff) | |
download | qcacld-93bd2df200cde2c6c9494d6f5c0bac3822fb6401.tar.gz |
qcacld-3.0: Fix integer underflow in assoc response frameandroid-s-beta-5_r0.2android-12.0.0_r0.30android-12.0.0_r0.3android-12.0.0_r0.2android-12.0.0_r0.11android-msm-crosshatch-4.9-android12android-msm-bonito-4.9-s-beta-5android-msm-bonito-4.9-android12
In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.
Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.
Bug: 193070701
Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
-rw-r--r-- | core/mac/src/pe/lim/lim_process_fils.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/core/mac/src/pe/lim/lim_process_fils.c b/core/mac/src/pe/lim/lim_process_fils.c index 18033ce4df..92ef167576 100644 --- a/core/mac/src/pe/lim/lim_process_fils.c +++ b/core/mac/src/pe/lim/lim_process_fils.c @@ -1819,6 +1819,11 @@ QDF_STATUS aead_decrypt_assoc_rsp(tpAniSirGlobal mac_ctx, uint8_t *fils_ies; struct pe_fils_session *fils_info = (session->fils_info); + if (*n_frame < FIXED_PARAM_OFFSET_ASSOC_RSP) { + pe_debug("payload len is less than ASSOC RES offset"); + return QDF_STATUS_E_FAILURE; + } + status = find_ie_data_after_fils_session_ie(mac_ctx, p_frame + FIXED_PARAM_OFFSET_ASSOC_RSP, ((*n_frame) - |