qcacld-3.0: Resolve possible OOB issue while processing start_bss

Presently, while processing start_bss, after retrieving WPS IE from
the beacon frame, 15th byte of WPS IE is accessed to get WPS state,
without confirming IE length holds that much minimum length to access.

Before accessing 15th byte(WPS state) of WPS IE, make sure IE length
holds minimum length to access it.

Change-Id: Ic00c700a1fbf88183b8b2d834c9700b538700ce7
CRs-Fixed: 2239164
This commit is contained in:
Hanumanth Reddy Pothula
2018-06-13 18:32:02 +05:30
committed by nshrivas
parent 5f80f479e4
commit 04bad8fa9d

View File

@@ -7561,8 +7561,10 @@ int wlan_hdd_cfg80211_start_bss(struct hdd_adapter *adapter,
pIe = wlan_hdd_get_wps_ie_ptr(pBeacon->tail, pBeacon->tail_len); pIe = wlan_hdd_get_wps_ie_ptr(pBeacon->tail, pBeacon->tail_len);
if (pIe) { if (pIe) {
if (pIe[1] < (2 + WPS_OUI_TYPE_SIZE)) { /* To acess pIe[15], length needs to be atlest 14 */
hdd_err("**Wps Ie Length is too small***"); if (pIe[1] < 14) {
hdd_err("**Wps Ie Length(%hhu) is too small***",
pIe[1]);
ret = -EINVAL; ret = -EINVAL;
goto error; goto error;
} else if (memcmp(&pIe[2], WPS_OUI_TYPE, WPS_OUI_TYPE_SIZE) == } else if (memcmp(&pIe[2], WPS_OUI_TYPE, WPS_OUI_TYPE_SIZE) ==