samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix integer underflow in assoc response frame

Browse Source 
In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.

Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.

Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
This commit is contained in:
Jyoti Kumari
2021-01-29 12:59:07 +05:30
committed by snandini
parent c91a75779c
commit 2cec5921c2
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
core/mac/src/pe/lim/lim_process_fils.c
View File

@@ -2366,6 +2366,11 @@ QDF_STATUS aead_decrypt_assoc_rsp(struct mac_context *mac_ctx,
uint8_t *fils_ies;
struct pe_fils_session *fils_info = session->fils_info;
if (*n_frame < FIXED_PARAM_OFFSET_ASSOC_RSP) {
pe_debug("payload len is less than ASSOC RES offset");
return QDF_STATUS_E_FAILURE;
}
status = find_ie_data_after_fils_session_ie(mac_ctx, p_frame +
FIXED_PARAM_OFFSET_ASSOC_RSP,
((*n_frame) -