From 756f27166a048786d38f9e8c0b40a3ab69828aa6 Mon Sep 17 00:00:00 2001 From: Yeshwanth Sriram Guntuka Date: Mon, 11 Jun 2018 17:41:18 +0530 Subject: qcacld-3.0: Fix possible OOB access in lim_process_disassoc_frame Reason code is extracted from frame data without validating the frame len which could result in out of bound access. Fix is to validate frame len before extracting reason code from frame data. Bug: 78530292 Test: Regression Change-Id: I00795a806abcae903dd0daa019aeab990aedc3a7 CRs-Fixed: 2253984 Signed-off-by: Ahmed ElArabawy --- core/mac/src/pe/lim/lim_process_disassoc_frame.c | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/core/mac/src/pe/lim/lim_process_disassoc_frame.c b/core/mac/src/pe/lim/lim_process_disassoc_frame.c index c8ae79fc86..e36ecc939f 100644 --- a/core/mac/src/pe/lim/lim_process_disassoc_frame.c +++ b/core/mac/src/pe/lim/lim_process_disassoc_frame.c @@ -77,13 +77,12 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo, uint16_t aid, reasonCode; tpSirMacMgmtHdr pHdr; tpDphHashNode pStaDs; -#ifdef WLAN_FEATURE_11W - uint32_t frameLen; -#endif + uint32_t frame_len; int32_t frame_rssi; pHdr = WMA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WMA_GET_RX_MPDU_DATA(pRxPacketInfo); + frame_len = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); frame_rssi = (int32_t)WMA_GET_RX_RSSI_NORMALIZED(pRxPacketInfo); @@ -137,11 +136,10 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo, /* If the frame received is unprotected, forward it to the supplicant to initiate */ /* an SA query */ - frameLen = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); /* send the unprotected frame indication to SME */ lim_send_sme_unprotected_mgmt_frame_ind(pMac, pHdr->fc.subType, (uint8_t *) pHdr, - (frameLen + + (frame_len + sizeof(tSirMacMgmtHdr)), psessionEntry->smeSessionId, psessionEntry); @@ -149,6 +147,11 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo, } #endif + if (frame_len < 2) { + pe_err("frame len less than 2"); + return; + } + /* Get reasonCode from Disassociation frame body */ reasonCode = sir_read_u16(pBody); -- cgit v1.2.3