summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJyoti Kumari <jyotkuma@codeaurora.org>2021-01-29 12:59:07 +0530
committerIsaac Chiou <isaacchiou@google.com>2021-07-29 12:44:41 +0000
commit93bd2df200cde2c6c9494d6f5c0bac3822fb6401 (patch)
tree856fa0de683097fbccd0291cc90fc468ed3ae1f2
parent187ef758e2e74f24d73997b2dfa5080d7031bfcc (diff)
downloadqcacld-93bd2df200cde2c6c9494d6f5c0bac3822fb6401.tar.gz
qcacld-3.0: Fix integer underflow in assoc response frameandroid-s-beta-5_r0.2android-12.0.0_r0.30android-12.0.0_r0.3android-12.0.0_r0.2android-12.0.0_r0.11android-msm-crosshatch-4.9-android12android-msm-bonito-4.9-s-beta-5android-msm-bonito-4.9-android12
In func aead_decrypt_assoc_rsp(), it calls find_ie_data_after_fils_session_ie() to find IE pointer after FILS session IE from the frame payload. There is possibility of integer underflow if frame payload length is less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value of buf_len variable in find_ie_data_after_fils_session_ie() and cause OOB during parsing process. Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP, if it is less then return failure. Bug: 193070701 Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af CRs-Fixed: 2859024
Diffstat
-rw-r--r--core/mac/src/pe/lim/lim_process_fils.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/core/mac/src/pe/lim/lim_process_fils.c b/core/mac/src/pe/lim/lim_process_fils.c
index 18033ce4df..92ef167576 100644
--- a/core/mac/src/pe/lim/lim_process_fils.c
+++ b/core/mac/src/pe/lim/lim_process_fils.c
@@ -1819,6 +1819,11 @@ QDF_STATUS aead_decrypt_assoc_rsp(tpAniSirGlobal mac_ctx,
uint8_t *fils_ies;
struct pe_fils_session *fils_info = (session->fils_info);
+ if (*n_frame < FIXED_PARAM_OFFSET_ASSOC_RSP) {
+ pe_debug("payload len is less than ASSOC RES offset");
+ return QDF_STATUS_E_FAILURE;
+ }
+
status = find_ie_data_after_fils_session_ie(mac_ctx, p_frame +
FIXED_PARAM_OFFSET_ASSOC_RSP,
((*n_frame) -
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-21 22:48:59 +0000