diff options
author | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | 2018-07-06 15:43:02 +0530 |
---|---|---|
committer | Ahmed ElArabawy <arabawy@google.com> | 2019-01-29 02:08:18 +0000 |
commit | a616b92ac3d1acee2ede4d40c29257e2e911d68d (patch) | |
tree | ea88ca4e5641aab1bbd8e2e388fc130b1c212632 | |
parent | b167f9a6f268385e07148b09f36314595f70457f (diff) | |
download | qcacld-a616b92ac3d1acee2ede4d40c29257e2e911d68d.tar.gz |
qcacld-3.0: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie
In the function lim_chk_n_process_wpa_rsn_ie, if wpa IE is
present, then dot11f_unpack_ie_wpa is called to copy the wpa IE
to destination buffer. assoc_req->wpa.length is passed as the
length to copy the IE. As this length includes 4 bytes of the
OUI fields also, this could result in OOB read.
Change the length passed to the dot11f_unpack_ie_wpa as
(assoc_req->wpa.length - 4), so that the additional 4 bytes of
the OUI fields are excluded.
Bug: 110475457
Test: Regression
Change-Id: If972b3a19d239bb955c7b4d4c7d94e25aa878f21
CRs-Fixed: 2267557
Signed-off-by: Sunil Ravi <sunilravi@google.com>
-rw-r--r-- | core/mac/src/pe/lim/lim_assoc_utils.c | 8 | ||||
-rw-r--r-- | core/mac/src/pe/lim/lim_process_assoc_req_frame.c | 19 |
2 files changed, 14 insertions, 13 deletions
diff --git a/core/mac/src/pe/lim/lim_assoc_utils.c b/core/mac/src/pe/lim/lim_assoc_utils.c index e7ca136f20..a01d870436 100644 --- a/core/mac/src/pe/lim/lim_assoc_utils.c +++ b/core/mac/src/pe/lim/lim_assoc_utils.c @@ -349,8 +349,8 @@ static inline bool is_non_rsn_cipher(uint8_t cipher_suite) * frame handling to determine whether received RSN in * Assoc/Reassoc request frames include supported cipher suites or not. * - * Return: eSIR_SUCCESS if ALL BSS basic rates are present in the - * received rateset else failure status. + * Return: eSIR_SUCCESS if ALL supported cipher suites are present in the + * received rsn IE else failure status. */ uint8_t @@ -461,8 +461,8 @@ lim_check_rx_rsn_ie_match(tpAniSirGlobal mac_ctx, tDot11fIERSN rx_rsn_ie, * frame handling to determine whether received RSN in * Assoc/Reassoc request frames include supported cipher suites or not. * - * Return: Success if ALL BSS basic rates are present in the - * received rateset else failure status. + * Return: Success if ALL supported cipher suites are present in the + * received wpa IE else failure status. */ uint8_t diff --git a/core/mac/src/pe/lim/lim_process_assoc_req_frame.c b/core/mac/src/pe/lim/lim_process_assoc_req_frame.c index 3e33457688..6999267fdb 100644 --- a/core/mac/src/pe/lim/lim_process_assoc_req_frame.c +++ b/core/mac/src/pe/lim/lim_process_assoc_req_frame.c @@ -737,7 +737,7 @@ static void lim_print_ht_cap(tpAniSirGlobal mac_ctx, tpPESession session, * * wpa ie related checks * - * Return: true of no error, false otherwise + * Return: true if no error, false otherwise */ static bool lim_chk_n_process_wpa_rsn_ie(tpAniSirGlobal mac_ctx, tpSirMacMgmtHdr hdr, @@ -746,6 +746,7 @@ static bool lim_chk_n_process_wpa_rsn_ie(tpAniSirGlobal mac_ctx, uint8_t sub_type, bool *pmf_connection) { uint8_t *wps_ie = NULL; + uint32_t ret; tDot11fIEWPA dot11f_ie_wpa = {0}; tDot11fIERSN dot11f_ie_rsn = {0}; tSirRetStatus status = eSIR_SUCCESS; @@ -776,11 +777,11 @@ static bool lim_chk_n_process_wpa_rsn_ie(tpAniSirGlobal mac_ctx, if (assoc_req->rsnPresent) { if (assoc_req->rsn.length) { /* Unpack the RSN IE */ - if (dot11f_unpack_ie_rsn(mac_ctx, + ret = dot11f_unpack_ie_rsn(mac_ctx, &assoc_req->rsn.info[0], assoc_req->rsn.length, - &dot11f_ie_rsn, false) != - DOT11F_PARSE_SUCCESS) { + &dot11f_ie_rsn, false); + if (!DOT11F_SUCCEEDED(ret)) { pe_err("Invalid RSN ie"); return false; } @@ -852,11 +853,11 @@ static bool lim_chk_n_process_wpa_rsn_ie(tpAniSirGlobal mac_ctx, /* Unpack the WPA IE */ if (assoc_req->wpa.length) { /* OUI is not taken care */ - if (dot11f_unpack_ie_wpa(mac_ctx, - &assoc_req->wpa.info[4], - assoc_req->wpa.length, - &dot11f_ie_wpa, false) != - DOT11F_PARSE_SUCCESS) { + ret = dot11f_unpack_ie_wpa(mac_ctx, + &assoc_req->wpa.info[4], + (assoc_req->wpa.length - 4), + &dot11f_ie_wpa, false); + if (!DOT11F_SUCCEEDED(ret)) { pe_err("Invalid WPA IE"); return false; } |