qcacld-3.0: Fix possible OOB access in lim_process_auth_frame

Key id is extracted from data buffer without validating
len of data which could result in out of bound access.

Fix is to validate frame len before extracting key id
from data buffer.

Bug: 78528839
Test: Test with provided PoC (before and after the fix)

Change-Id: I1f4d88b7ca6201f03a6bc8e6915f1479f571838f
CRs-Fixed: 2254141
Signed-off-by: Ahmed ElArabawy <arabawy@google.com>

1 files changed, 10 insertions, 0 deletions

diff --git a/core/mac/src/pe/lim/lim_process_auth_frame.c b/core/mac/src/pe/lim/lim_process_auth_frame.c
index eea7cc96a0..04258ebe79 100644
--- a/core/mac/src/pe/lim/lim_process_auth_frame.c
+++ b/core/mac/src/pe/lim/lim_process_auth_frame.c
@@ -1131,6 +1131,11 @@ lim_process_auth_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info,
 
 	body_ptr = WMA_GET_RX_MPDU_DATA(rx_pkt_info);
 
+	if (frame_len < 2) {
+		pe_err("invalid frame len: %d", frame_len);
+		return;
+	}
+
 	/* Restore default failure timeout */
 	if (QDF_P2P_CLIENT_MODE == pe_session->pePersona &&
 			pe_session->defaultAuthFailureTimeout) {
@@ -1176,6 +1181,11 @@ lim_process_auth_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info,
 					mac_hdr->sa, pe_session, false);
 			goto free;
 		}
+
+		if (frame_len < 4) {
+			pe_err("invalid frame len: %d", frame_len);
+			goto free;
+		}
 		/* Extract key ID from IV (most 2 bits of 4th byte of IV) */
 		key_id = (*(body_ptr + 3)) >> 6;