From fa4f0754b2f8e2f1712abe3f0f835b024e769b13 Mon Sep 17 00:00:00 2001 From: Pragaspathi Thilagaraj Date: Wed, 29 Jan 2020 15:38:50 +0530 Subject: qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies() In function rrm_fill_beacon_ies, the total IE length is calculated as sum of length field of the IE and 2 (element id 1 byte and IE length field 1 byte). The total IE length is defined of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe. Validate the len against total IE length to avoid overflow. Bug: 155653491 Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88 CRs-Fixed: 2573329 --- core/mac/src/pe/rrm/rrm_api.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c index 3ca467f57b..d7d789542b 100644 --- a/core/mac/src/pe/rrm/rrm_api.c +++ b/core/mac/src/pe/rrm/rrm_api.c @@ -722,10 +722,17 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac, pIes += sizeof(uint16_t); while (BcnNumIes > 0) { - len = *(pBcnIes + 1) + 2; /* element id + length. */ + len = *(pBcnIes + 1); + len += 2; /* element id + length. */ pe_debug("EID = %d, len = %d total = %d", *pBcnIes, *(pBcnIes + 1), len); + if (BcnNumIes < len) { + pe_err("RRM: Invalid IE len:%d exp_len:%d", + len, BcnNumIes); + break; + } + i = 0; do { if (((eids == NULL) || (*pBcnIes == eids[i])) && -- cgit v1.2.3