diff options
author | Abhishek Ambure <aambure@codeaurora.org> | 2019-12-05 20:27:55 +0530 |
---|---|---|
committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2020-04-08 13:35:10 +0800 |
commit | d85e8a2ab13139550b6725bcead23ab1cda4b055 (patch) | |
tree | 95575ec39e8e4855a5a10425c395279485d445f3 | |
parent | d9b6c82d883b7a44d93ae952556c062c15a90063 (diff) | |
download | qcacld-d85e8a2ab13139550b6725bcead23ab1cda4b055.tar.gz |
qcacld-3.0: Add max index check for dscp_to_up_map array
In SME layer, boundary check for dscp_to_up_map array is not present.
The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions
are used to index dscpmapping. The indices are not validated to be less
than 0x40. The dscp_exceptions array is received from association
response frame. A malicious AP can send values up to 0xff, causing OOB
write of dscpmapping array.
Hence, max index check is added to avoid OOB write of dscpmapping array.
Bug: 153345312
Test: Regression test
Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e
CRs-Fixed: 2569764
-rw-r--r-- | core/hdd/inc/wlan_hdd_main.h | 2 | ||||
-rw-r--r-- | core/hdd/inc/wlan_hdd_wmm.h | 2 | ||||
-rw-r--r-- | core/hdd/src/wlan_hdd_wmm.c | 4 | ||||
-rw-r--r-- | core/sme/inc/sme_qos_api.h | 4 | ||||
-rw-r--r-- | core/sme/src/common/sme_api.c | 17 |
5 files changed, 9 insertions, 20 deletions
diff --git a/core/hdd/inc/wlan_hdd_main.h b/core/hdd/inc/wlan_hdd_main.h index 25a65d2bc6..7b43afa11b 100644 --- a/core/hdd/inc/wlan_hdd_main.h +++ b/core/hdd/inc/wlan_hdd_main.h @@ -1412,7 +1412,7 @@ struct hdd_adapter { bool offloads_configured; /* DSCP to UP QoS Mapping */ - enum sme_qos_wmmuptype dscp_to_up_map[WLAN_HDD_MAX_DSCP + 1]; + enum sme_qos_wmmuptype dscp_to_up_map[WLAN_MAX_DSCP + 1]; #ifdef WLAN_FEATURE_LINK_LAYER_STATS bool is_link_layer_stats_set; diff --git a/core/hdd/inc/wlan_hdd_wmm.h b/core/hdd/inc/wlan_hdd_wmm.h index ead0a7829c..4e8be3bb2c 100644 --- a/core/hdd/inc/wlan_hdd_wmm.h +++ b/core/hdd/inc/wlan_hdd_wmm.h @@ -194,8 +194,6 @@ extern const uint8_t hdd_qdisc_ac_to_tl_ac[]; extern const uint8_t hdd_wmm_up_to_ac_map[]; extern const uint8_t hdd_linux_up_to_ac_map[]; -#define WLAN_HDD_MAX_DSCP 0x3f - /** * hdd_wmmps_helper() - Function to set uapsd psb dynamically * diff --git a/core/hdd/src/wlan_hdd_wmm.c b/core/hdd/src/wlan_hdd_wmm.c index 5d02f02946..04a6584ecb 100644 --- a/core/hdd/src/wlan_hdd_wmm.c +++ b/core/hdd/src/wlan_hdd_wmm.c @@ -54,8 +54,6 @@ #include <cds_sched.h> #include "sme_api.h" -#define WLAN_HDD_MAX_DSCP 0x3f - #define HDD_WMM_UP_TO_AC_MAP_SIZE 8 const uint8_t hdd_wmm_up_to_ac_map[] = { @@ -1283,7 +1281,7 @@ QDF_STATUS hdd_wmm_init(struct hdd_adapter *adapter) /* DSCP to User Priority Lookup Table * By default use the 3 Precedence bits of DSCP as the User Priority */ - for (dscp = 0; dscp <= WLAN_HDD_MAX_DSCP; dscp++) + for (dscp = 0; dscp <= WLAN_MAX_DSCP; dscp++) dscp_to_up_map[dscp] = dscp >> 3; /* Special case for Expedited Forwarding (DSCP 46) */ diff --git a/core/sme/inc/sme_qos_api.h b/core/sme/inc/sme_qos_api.h index de71f94feb..da4c3914f6 100644 --- a/core/sme/inc/sme_qos_api.h +++ b/core/sme/inc/sme_qos_api.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -133,6 +133,8 @@ enum sme_qos_statustype { }; +#define WLAN_MAX_DSCP 0x3f + /* * Enumeration of the various User priority (UP) types * From 802.1D/802.11e/WMM specifications (all refer to same table) diff --git a/core/sme/src/common/sme_api.c b/core/sme/src/common/sme_api.c index fa1e831e03..f23e630e87 100644 --- a/core/sme/src/common/sme_api.c +++ b/core/sme/src/common/sme_api.c @@ -10717,24 +10717,15 @@ QDF_STATUS sme_update_dsc_pto_up_mapping(tHalHandle hHal, sme_release_global_lock(&pMac->sme); return QDF_STATUS_E_FAILURE; } + for (i = 0; i < SME_QOS_WMM_UP_MAX; i++) { for (j = pSession->QosMapSet.dscp_range[i][0]; - j <= pSession->QosMapSet.dscp_range[i][1]; - j++) { - if ((pSession->QosMapSet.dscp_range[i][0] == 255) - && (pSession->QosMapSet.dscp_range[i][1] == - 255)) { - QDF_TRACE(QDF_MODULE_ID_SME, - QDF_TRACE_LEVEL_DEBUG, - FL("User Priority %d isn't used"), i); - break; - } else { + j <= pSession->QosMapSet.dscp_range[i][1] && + j <= WLAN_MAX_DSCP; j++) dscpmapping[j] = i; - } - } } for (i = 0; i < pSession->QosMapSet.num_dscp_exceptions; i++) - if (pSession->QosMapSet.dscp_exceptions[i][0] != 255) + if (pSession->QosMapSet.dscp_exceptions[i][0] <= WLAN_MAX_DSCP) dscpmapping[pSession->QosMapSet.dscp_exceptions[i][0]] = pSession->QosMapSet.dscp_exceptions[i][1]; |