diff options
author | Kumar Anand <kumaranand@google.com> | 2019-02-21 20:48:38 +0000 |
---|---|---|
committer | Android Partner Code Review <android-gerrit-partner@google.com> | 2019-02-21 20:48:38 +0000 |
commit | aa844ea5f38253d689fefbf635a27f16a7b47ee8 (patch) | |
tree | aaefca1d464b6d657eba27f542bf96bb9b97ab2a | |
parent | 14949e76f03fb0205d3844db507604823ffefb01 (diff) | |
parent | 756f27166a048786d38f9e8c0b40a3ab69828aa6 (diff) | |
download | qcacld-aa844ea5f38253d689fefbf635a27f16a7b47ee8.tar.gz |
Merge "qcacld-3.0: Fix possible OOB access in lim_process_disassoc_frame" into android-msm-bluecross-4.9
-rw-r--r-- | core/mac/src/pe/lim/lim_process_disassoc_frame.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/core/mac/src/pe/lim/lim_process_disassoc_frame.c b/core/mac/src/pe/lim/lim_process_disassoc_frame.c index c8ae79fc86..e36ecc939f 100644 --- a/core/mac/src/pe/lim/lim_process_disassoc_frame.c +++ b/core/mac/src/pe/lim/lim_process_disassoc_frame.c @@ -77,13 +77,12 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo, uint16_t aid, reasonCode; tpSirMacMgmtHdr pHdr; tpDphHashNode pStaDs; -#ifdef WLAN_FEATURE_11W - uint32_t frameLen; -#endif + uint32_t frame_len; int32_t frame_rssi; pHdr = WMA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WMA_GET_RX_MPDU_DATA(pRxPacketInfo); + frame_len = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); frame_rssi = (int32_t)WMA_GET_RX_RSSI_NORMALIZED(pRxPacketInfo); @@ -137,11 +136,10 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo, /* If the frame received is unprotected, forward it to the supplicant to initiate */ /* an SA query */ - frameLen = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); /* send the unprotected frame indication to SME */ lim_send_sme_unprotected_mgmt_frame_ind(pMac, pHdr->fc.subType, (uint8_t *) pHdr, - (frameLen + + (frame_len + sizeof(tSirMacMgmtHdr)), psessionEntry->smeSessionId, psessionEntry); @@ -149,6 +147,11 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo, } #endif + if (frame_len < 2) { + pe_err("frame len less than 2"); + return; + } + /* Get reasonCode from Disassociation frame body */ reasonCode = sir_read_u16(pBody); |