diff options
| author | Yeshwanth Sriram Guntuka <ysriramg@codeaurora.org> | 2019-08-06 17:03:40 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2019-08-21 02:41:43 -0700 |
| commit | 8eb175fac26f3037b43abf7c2d506f4e76050204 (patch) | |
| tree | 0d1247ddef2be660659bc78faee9ddd46f4644aa | |
| parent | d6a2f1493ef83a61d9b2a2cb7cefa1cb10dccd9a (diff) | |
| download | wlan-8eb175fac26f3037b43abf7c2d506f4e76050204.tar.gz | |
wlan: Fix possible OOB access in lim_process_disassoc_frame
Reason code is extracted from frame data without validating
the frame len which could result in out of bound access.
Fix is to validate frame len before extracting reason
code from frame data.
Change-Id: I00795a806abcae903dd0daa019aeab990aedc3a7
CRs-Fixed: 2504023
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessDisassocFrame.c | 15 |
1 files changed, 9 insertions, 6 deletions
diff --git a/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c b/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c index 805ad5f0c..1985c21d7 100644 --- a/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c +++ b/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2017, 2019 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -80,12 +80,16 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession tpSirMacMgmtHdr pHdr; tpDphHashNode pStaDs; tLimMlmDisassocInd mlmDisassocInd; -#ifdef WLAN_FEATURE_11W - tANI_U32 frameLen; -#endif + tANI_U32 frame_len; pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo); + frame_len = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); + + if (frame_len < 2) { + limLog(pMac, LOGE, FL("frame len less than 2")); + return; + } if (limIsGroupAddr(pHdr->sa)) { @@ -124,10 +128,9 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession PELOGE(limLog(pMac, LOG1, FL("received an unprotected disassoc from AP"));) // If the frame received is unprotected, forward it to the supplicant to initiate // an SA query - frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); //send the unprotected frame indication to SME limSendSmeUnprotectedMgmtFrameInd( pMac, pHdr->fc.subType, - (tANI_U8*)pHdr, (frameLen + sizeof(tSirMacMgmtHdr)), + (tANI_U8*)pHdr, (frame_len + sizeof(tSirMacMgmtHdr)), psessionEntry->smeSessionId, psessionEntry); return; } |