diff options
author | Jianmin Zhu <jianminz@codeaurora.org> | 2018-07-11 19:14:10 +0800 |
---|---|---|
committer | Roger Wang <wangroger@google.com> | 2019-09-05 01:57:40 +0000 |
commit | 2657180aee689f75f09fd3519a345f5e97c28c1c (patch) | |
tree | 85e84d3d4ae3dd457c2f1827b3a2290c3858c8bf | |
parent | a6ca4ace0d93fa76450b4e03e40b27127cda6ba6 (diff) | |
download | qcacld-2657180aee689f75f09fd3519a345f5e97c28c1c.tar.gz |
qcacld-3.0: Avoid buffer overflow in wma_process_bip
If 11w is enabled, mmie should be included in broadcast
multicast rmf, length check need consider it to avoid buffer
overflow
CRs-Fixed: 2270117
Bug: 139890137
Change-Id: I6c2ebe18fb5b6e4246ba6d28c1dbc55175279e30
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
-rw-r--r-- | core/wma/src/wma_mgmt.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c index d6d21d1ef3..784b553901 100644 --- a/core/wma/src/wma_mgmt.c +++ b/core/wma/src/wma_mgmt.c @@ -3266,20 +3266,28 @@ int wma_process_bip(tp_wma_handle wma_handle, qdf_nbuf_t wbuf ) { + uint16_t mmie_size; uint16_t key_id; uint8_t *efrm; efrm = qdf_nbuf_data(wbuf) + qdf_nbuf_len(wbuf); if (iface->key.key_cipher == WMI_CIPHER_AES_CMAC) { - key_id = (uint16_t)*(efrm - cds_get_mmie_size() + 2); + mmie_size = cds_get_mmie_size(); } else if (iface->key.key_cipher == WMI_CIPHER_AES_GMAC) { - key_id = (uint16_t)*(efrm - cds_get_gmac_mmie_size() + 2); + mmie_size = cds_get_gmac_mmie_size(); } else { WMA_LOGE(FL("Invalid key cipher %d"), iface->key.key_cipher); return -EINVAL; } + /* Check if frame is invalid length */ + if (efrm - (uint8_t *)wh < sizeof(*wh) + mmie_size) { + WMA_LOGE(FL("Invalid frame length")); + return -EINVAL; + } + + key_id = (uint16_t)*(efrm - mmie_size + 2); if (!((key_id == WMA_IGTK_KEY_INDEX_4) || (key_id == WMA_IGTK_KEY_INDEX_5))) { WMA_LOGE(FL("Invalid KeyID(%d) dropping the frame"), key_id); |