diff options
author | Aditya Kodukula <quic_akodukul@quicinc.com> | 2021-09-29 13:38:44 +0530 |
---|---|---|
committer | chenpaul <chenpaul@google.com> | 2021-10-25 17:04:18 +0800 |
commit | 0f35e379ca22b967e9ec7adef377eaaf501ffc76 (patch) | |
tree | 17a6554b8c9ec1078641e04c1ab68807e713d48e | |
parent | f1aead25d8d8b78afac6726690c283ef18c5d49b (diff) | |
download | qcacld-0f35e379ca22b967e9ec7adef377eaaf501ffc76.tar.gz |
qcacld-3.0: Fix possible OOB in unpack_tlv_coreandroid-s-v2-beta-2_r0.3android-s-v2-beta-2_r0.2android-s-v2-beta-1_r0.3android-s-v2-beta-1_r0.2android-msm-sunfish-4.14-s-v2-beta-1android-msm-sunfish-4.14-android12-v2-beta-2android-msm-coral-4.14-s-v2-beta-1android-msm-coral-4.14-android12-v2-beta-2
Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.
Fix is to validate the nBufRemaining size before calling
framesntohs().
Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
Bug: 202465127
CRs-Fixed: 3042282
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>
-rw-r--r-- | core/mac/src/include/dot11f.h | 4 | ||||
-rw-r--r-- | core/mac/src/sys/legacy/src/utils/src/dot11f.c | 20 |
2 files changed, 15 insertions, 9 deletions
diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h index 44a516e977..a936d24184 100644 --- a/core/mac/src/include/dot11f.h +++ b/core/mac/src/include/dot11f.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2018, 2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -26,7 +26,7 @@ * * * This file was automatically generated by 'framesc' - * Mon Mar 25 14:48:07 2019 from the following file(s): + * Wed Sep 29 13:23:21 2021 from the following file(s): * * dot11f.frms * diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c index ea103d9e75..d9b04a2242 100644 --- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c +++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2018, 2021 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -24,7 +24,7 @@ * * * This file was automatically generated by 'framesc' - * Mon Mar 25 14:48:07 2019 from the following file(s): + * Wed Sep 29 13:23:21 2021 from the following file(s): * * dot11f.frms * @@ -14538,25 +14538,30 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal pCtx, } /* & length, */ if (pTlv->sLen == 2) { - framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb); if (2 > nBufRemaining) { FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports " "fewer two byte(s) remaining.\n")); status |= DOT11F_INCOMPLETE_TLV; FRAMES_DBG_BREAK(); goto MandatoryCheck; - } - pBufRemaining += 2; - nBufRemaining -= 2; + } + framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb); + pBufRemaining += 2; + nBufRemaining -= 2; } else { len = *pBufRemaining; pBufRemaining += 1; nBufRemaining -= 1; } } else { + if (TLVs[0].sType > nBufRemaining) { + FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports " + "fewer LVs[0].sType byte(s) remaining.\n")); + status |= DOT11F_INCOMPLETE_TLV; + goto MandatoryCheck; + } pBufRemaining += TLVs[0].sType; nBufRemaining -= TLVs[0].sType; - framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2)); if (2 > nBufRemaining) { FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports " "fewer two byte(s) remaining.\n")); @@ -14564,6 +14569,7 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal pCtx, FRAMES_DBG_BREAK(); goto MandatoryCheck; } + framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2)); pBufRemaining += 2; nBufRemaining -= 2; } |