qcacld-3.0: Fix possible OOB in unpack_tlv_coreandroid-s-v2-beta-2_r0.3android-s-v2-beta-2_r0.2android-s-v2-beta-1_r0.3android-s-v2-beta-1_r0.2android-msm-sunfish-4.14-s-v2-beta-1android-msm-sunfish-4.14-android12-v2-beta-2android-msm-coral-4.14-s-v2-beta-1android-msm-coral-4.14-android12-v2-beta-2

Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.

Fix is to validate the nBufRemaining size before calling
framesntohs().

Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
Bug: 202465127
CRs-Fixed: 3042282
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>

2 files changed, 15 insertions, 9 deletions

diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h
index 44a516e977..a936d24184 100644
--- a/core/mac/src/include/dot11f.h
+++ b/core/mac/src/include/dot11f.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2018, 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -26,7 +26,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Mon Mar 25 14:48:07 2019 from the following file(s):
+ * Wed Sep 29 13:23:21 2021 from the following file(s):
  *
  * dot11f.frms
  *
diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
index ea103d9e75..d9b04a2242 100644
--- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2018, 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -24,7 +24,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Mon Mar 25 14:48:07 2019 from the following file(s):
+ * Wed Sep 29 13:23:21 2021 from the following file(s):
  *
  * dot11f.frms
  *
@@ -14538,25 +14538,30 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal   pCtx,
 			}
 			/* & length, */
 			if (pTlv->sLen == 2) {
-				framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
 				if (2 > nBufRemaining) {
 					FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "
 							"fewer two byte(s) remaining.\n"));
 					status |= DOT11F_INCOMPLETE_TLV;
 					FRAMES_DBG_BREAK();
 					goto MandatoryCheck;
-			}
-			pBufRemaining += 2;
-			nBufRemaining -= 2;
+				}
+				framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
+				pBufRemaining += 2;
+				nBufRemaining -= 2;
 			} else {
 				len = *pBufRemaining;
 				pBufRemaining += 1;
 				nBufRemaining -= 1;
 			}
 		} else {
+			if (TLVs[0].sType > nBufRemaining) {
+				FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "
+					     "fewer LVs[0].sType byte(s) remaining.\n"));
+				status |= DOT11F_INCOMPLETE_TLV;
+				goto MandatoryCheck;
+			}
 			pBufRemaining += TLVs[0].sType;
 			nBufRemaining -= TLVs[0].sType;
-			framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
 			if (2 > nBufRemaining) {
 				FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "
 					     "fewer two byte(s) remaining.\n"));
@@ -14564,6 +14569,7 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal   pCtx,
 				FRAMES_DBG_BREAK();
 				goto MandatoryCheck;
 			}
+			framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
 			pBufRemaining += 2;
 			nBufRemaining -= 2;
 		}