qcacld-3.0: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie

In the function lim_chk_n_process_wpa_rsn_ie, if wpa IE is
present, then dot11f_unpack_ie_wpa is called to copy the wpa IE
to destination buffer. assoc_req->wpa.length is passed as the
length to copy the IE. As this length includes 4 bytes of the
OUI fields also, this could result in OOB read.

Change the length passed to the dot11f_unpack_ie_wpa as
(assoc_req->wpa.length - 4), so that the additional 4 bytes of
the OUI fields are excluded.

Change-Id: If972b3a19d239bb955c7b4d4c7d94e25aa878f21
CRs-Fixed: 2267557

core/mac/inc/sir_mac_prot_def.h

@@ -711,7 +711,7 @@ typedef enum eSirMacStatusCodes {
 	eSIR_MAC_TS_NOT_HONOURED_STATUS = 39,   /* The TS has not been created because the request cannot be honored; however, a suggested */
 	/* TSPEC is provided so that the initiating STA may attempt to set another TS */
 	/* with the suggested changes to the TSPEC */
-	eSIR_MAC_INVALID_INFORMATION_ELEMENT_STATUS = 40,       /* Invalid information element, i.e., an information element defined in this standard for */
+	eSIR_MAC_INVALID_IE_STATUS = 40,       /* Invalid information element, i.e., an information element defined in this standard for */
 	/* which the content does not meet the specifications in Clause 7 */
 	eSIR_MAC_INVALID_GROUP_CIPHER_STATUS = 41,      /* Invalid group cipher */
 	eSIR_MAC_INVALID_PAIRWISE_CIPHER_STATUS = 42,   /* Invalid pairwise cipher */

core/mac/src/pe/lim/lim_assoc_utils.c

@@ -341,8 +341,8 @@ static inline bool is_non_rsn_cipher(uint8_t cipher_suite)
  * frame handling to determine whether received RSN in
  * Assoc/Reassoc request frames include supported cipher suites or not.
  *
- * Return: QDF_STATUS_SUCCESS if ALL BSS basic rates are present in the
- *                  received rateset else failure status.
+ * Return: QDF_STATUS_SUCCESS if ALL supported cipher suites are present in the
+ *                  received rsn IE else failure status.
  */
 
 uint8_t lim_check_rx_rsn_ie_match(tpAniSirGlobal mac_ctx,
@@ -458,8 +458,8 @@ uint8_t lim_check_rx_rsn_ie_match(tpAniSirGlobal mac_ctx,
  * frame handling to determine whether received RSN in
  * Assoc/Reassoc request frames include supported cipher suites or not.
  *
- * Return: Success if ALL BSS basic rates are present in the
- *                  received rateset else failure status.
+ * Return: Success if ALL supported cipher suites are present in the
+ *                  received wpa IE else failure status.
  */
 
 uint8_t

core/mac/src/pe/lim/lim_process_assoc_req_frame.c

@@ -806,6 +806,137 @@ static void lim_print_ht_cap(tpAniSirGlobal mac_ctx, tpPESession session,
 	}
 }
 
+/**
+  * lim_check_wpa_rsn_ie() - wpa and rsn ie related checks
+  * @session: pointer to pe session entry
+  * @mac_ctx: pointer to Global MAC structure
+  * @sub_type: Assoc(=0) or Reassoc(=1) Requestframe
+  * @hdr: pointer to the MAC head
+  * @assoc_req: pointer to ASSOC/REASSOC Request frame
+  * @pmf_connection: flag indicating pmf connection
+  *
+  * This function checks if wpa/rsn IE is present and validates
+  * ie version, length and mismatch.
+  *
+  * Return: true if no error, false otherwise
+  */
+static bool lim_check_wpa_rsn_ie(tpPESession session, tpAniSirGlobal mac_ctx,
+				 uint8_t sub_type, tpSirMacMgmtHdr hdr,
+				 tpSirAssocReq assoc_req, bool *pmf_connection)
+{
+	uint32_t ret;
+	tDot11fIEWPA dot11f_ie_wpa = {0};
+	tDot11fIERSN dot11f_ie_rsn = {0};
+	QDF_STATUS status = QDF_STATUS_SUCCESS;
+
+	/*
+	 * Clear the buffers so that frame parser knows that there isn't a
+	 * previously decoded IE in these buffers
+	 */
+	qdf_mem_set((uint8_t *) &dot11f_ie_rsn, sizeof(dot11f_ie_rsn), 0);
+	qdf_mem_set((uint8_t *) &dot11f_ie_wpa, sizeof(dot11f_ie_wpa), 0);
+	pe_err("RSN enabled auth, Re/Assoc req from STA: "
+		MAC_ADDRESS_STR, MAC_ADDR_ARRAY(hdr->sa));
+
+	if (assoc_req->rsnPresent) {
+		if (!(assoc_req->rsn.length)) {
+			pe_warn("Re/Assoc rejected from: "
+				MAC_ADDRESS_STR,
+				MAC_ADDR_ARRAY(hdr->sa));
+			/*
+			 * rcvd Assoc req frame with RSN IE but
+			 * length is zero
+			 */
+			lim_send_assoc_rsp_mgmt_frame(mac_ctx,
+				eSIR_MAC_INVALID_IE_STATUS, 1,
+				hdr->sa, sub_type, 0, session);
+			return false;
+		}
+
+		/* Unpack the RSN IE */
+		ret = dot11f_unpack_ie_rsn(mac_ctx,
+					   &assoc_req->rsn.info[0],
+					   assoc_req->rsn.length,
+					   &dot11f_ie_rsn, false);
+		if (!DOT11F_SUCCEEDED(ret)) {
+			pe_err("Invalid RSN IE");
+			return false;
+		}
+
+		/* Check if the RSN version is supported */
+		if (SIR_MAC_OUI_VERSION_1 == dot11f_ie_rsn.version) {
+			/* check the groupwise and pairwise cipher suites */
+			status = lim_check_rx_rsn_ie_match(mac_ctx,
+					   &dot11f_ie_rsn, session,
+					   assoc_req->HTCaps.present,
+					   pmf_connection);
+			if (QDF_STATUS_SUCCESS != status) {
+				pe_warn("Re/Assoc rejected from: "
+					MAC_ADDRESS_STR,
+					MAC_ADDR_ARRAY(hdr->sa));
+
+				lim_send_assoc_rsp_mgmt_frame(mac_ctx, status,
+							 1, hdr->sa, sub_type,
+							 0, session);
+				return false;
+			}
+		} else {
+			pe_warn("Re/Assoc rejected from: " MAC_ADDRESS_STR,
+				MAC_ADDR_ARRAY(hdr->sa));
+
+			/*
+			 * rcvd Assoc req frame with RSN IE but
+			 * IE version is wrong
+			 */
+			lim_send_assoc_rsp_mgmt_frame(mac_ctx,
+				eSIR_MAC_UNSUPPORTED_RSN_IE_VERSION_STATUS,
+				1, hdr->sa, sub_type, 0, session);
+			return false;
+		}
+	} else if (assoc_req->wpaPresent) {
+		if (!(assoc_req->wpa.length)) {
+			pe_warn("Re/Assoc rejected from: "
+				MAC_ADDRESS_STR,
+				MAC_ADDR_ARRAY(hdr->sa));
+
+			/* rcvd Assoc req frame with invalid WPA IE length */
+			lim_send_assoc_rsp_mgmt_frame(mac_ctx,
+				eSIR_MAC_INVALID_IE_STATUS, 1,
+				hdr->sa, sub_type, 0, session);
+			return false;
+		}
+		/* Unpack the WPA IE */
+		ret = dot11f_unpack_ie_wpa(mac_ctx,
+					   &assoc_req->wpa.info[4],
+					   (assoc_req->wpa.length - 4),
+					   &dot11f_ie_wpa, false);
+		if (!DOT11F_SUCCEEDED(ret)) {
+			pe_err("Invalid WPA IE");
+			return false;
+		}
+
+		/* check the groupwise and pairwise cipher suites*/
+		status = lim_check_rx_wpa_ie_match(mac_ctx, dot11f_ie_wpa,
+					session, assoc_req->HTCaps.present);
+		if (QDF_STATUS_SUCCESS != status) {
+			pe_warn("Re/Assoc rejected from: "
+				MAC_ADDRESS_STR,
+				MAC_ADDR_ARRAY(hdr->sa));
+
+			/*
+			 * rcvd Assoc req frame with WPA IE
+			 * but there is mismatch
+			 */
+			lim_send_assoc_rsp_mgmt_frame(mac_ctx, status, 1,
+					hdr->sa, sub_type, 0, session);
+			return false;
+		}
+
+	}
+	return true;
+
+}
+
 /**
  * lim_chk_n_process_wpa_rsn_ie() - wpa ie related checks
  * @mac_ctx: pointer to Global MAC structure
@@ -817,7 +948,7 @@ static void lim_print_ht_cap(tpAniSirGlobal mac_ctx, tpPESession session,
  *
  * wpa ie related checks
  *
- * Return: true of no error, false otherwise
+ * Return: true if no error, false otherwise
  */
 static bool lim_chk_n_process_wpa_rsn_ie(tpAniSirGlobal mac_ctx,
 					 tpSirMacMgmtHdr hdr,
@@ -826,15 +957,6 @@ static bool lim_chk_n_process_wpa_rsn_ie(tpAniSirGlobal mac_ctx,
 					 uint8_t sub_type, bool *pmf_connection)
 {
 	const uint8_t *wps_ie = NULL;
-	tDot11fIEWPA dot11f_ie_wpa = {0};
-	tDot11fIERSN dot11f_ie_rsn = {0};
-	QDF_STATUS status = QDF_STATUS_SUCCESS;
-	/*
-	 * Clear the buffers so that frame parser knows that there isn't a
-	 * previously decoded IE in these buffers
-	 */
-	qdf_mem_set((uint8_t *) &dot11f_ie_rsn, sizeof(dot11f_ie_rsn), 0);
-	qdf_mem_set((uint8_t *) &dot11f_ie_wpa, sizeof(dot11f_ie_wpa), 0);
 
 	/* if additional IE is present, check if it has WscIE */
 	if (assoc_req->addIEPresent && assoc_req->addIE.length)
@@ -842,149 +964,17 @@ static bool lim_chk_n_process_wpa_rsn_ie(tpAniSirGlobal mac_ctx,
 					assoc_req->addIE.length);
 	else
 		pe_debug("Assoc req addIEPresent: %d addIE length: %d",
-			assoc_req->addIEPresent, assoc_req->addIE.length);
+			 assoc_req->addIEPresent, assoc_req->addIE.length);
 
 	/* when wps_ie is present, RSN/WPA IE is ignored */
 	if (wps_ie == NULL) {
-		/* check whether as RSN IE is present */
+		/* check whether RSN IE is present */
 		if (LIM_IS_AP_ROLE(session) &&
 		    session->pLimStartBssReq->privacy &&
-		    session->pLimStartBssReq->rsnIE.length) {
-			pe_err("RSN enabled auth, Re/Assoc req from STA: "
-					MAC_ADDRESS_STR,
-				MAC_ADDR_ARRAY(hdr->sa));
-			if (assoc_req->rsnPresent) {
-				if (assoc_req->rsn.length) {
-					/* Unpack the RSN IE */
-					if (dot11f_unpack_ie_rsn(mac_ctx,
-						&assoc_req->rsn.info[0],
-						assoc_req->rsn.length,
-						&dot11f_ie_rsn, false) !=
-							DOT11F_PARSE_SUCCESS) {
-						pe_err("Invalid RSN ie");
-						return false;
-					}
-
-					/* Check RSN version is supported */
-					if (SIR_MAC_OUI_VERSION_1 ==
-						dot11f_ie_rsn.version) {
-						/*
-						 * check the groupwise and
-						 * pairwise cipher suites
-						 */
-						status =
-						    lim_check_rx_rsn_ie_match(
-						      mac_ctx, &dot11f_ie_rsn,
-						      session,
-						      assoc_req->HTCaps.present,
-						      pmf_connection);
-						if (QDF_STATUS_SUCCESS != status) {
-							pe_warn("Re/Assoc rejected from: " MAC_ADDRESS_STR,
-							MAC_ADDR_ARRAY(
-								hdr->sa));
-
-							/*
-							 * some IE is not
-							 * properly sent
-							 * received Association
-							 * req frame with RSN IE
-							 * but length is 0
-							 */
-							lim_send_assoc_rsp_mgmt_frame(
-								mac_ctx,
-								status, 1,
-								hdr->sa,
-								sub_type, 0,
-								session);
-							return false;
-						}
-					} else {
-						pe_warn("Re/Assoc rejected from: " MAC_ADDRESS_STR,
-							MAC_ADDR_ARRAY(
-								hdr->sa));
-						/*
-						 * rcvd Assoc req frame with RSN
-						 * IE version wrong
-						 */
-						lim_send_assoc_rsp_mgmt_frame(
-							mac_ctx,
-							eSIR_MAC_UNSUPPORTED_RSN_IE_VERSION_STATUS,
-							1, hdr->sa, sub_type, 0,
-							session);
-						return false;
-					}
-				} else {
-					pe_warn("Re/Assoc rejected from: "
-							MAC_ADDRESS_STR,
-						MAC_ADDR_ARRAY(hdr->sa));
-					/*
-					 * rcvd Assoc req frame with RSN IE but
-					 * length is 0
-					 */
-					lim_send_assoc_rsp_mgmt_frame(mac_ctx,
-						eSIR_MAC_INVALID_INFORMATION_ELEMENT_STATUS,
-						1, hdr->sa, sub_type, 0,
-						session);
-					return false;
-				}
-			} /* end - if(assoc_req->rsnPresent) */
-			if ((!assoc_req->rsnPresent) && assoc_req->wpaPresent) {
-				/* Unpack the WPA IE */
-				if (assoc_req->wpa.length) {
-					/* OUI is not taken care */
-					if (dot11f_unpack_ie_wpa(mac_ctx,
-						&assoc_req->wpa.info[4],
-						assoc_req->wpa.length,
-						&dot11f_ie_wpa, false) !=
-							DOT11F_PARSE_SUCCESS) {
-						pe_err("Invalid WPA IE");
-						return false;
-					}
-					/*
-					 * check the groupwise and pairwise
-					 * cipher suites
-					 */
-					status = lim_check_rx_wpa_ie_match(
-						     mac_ctx, dot11f_ie_wpa,
-						     session,
-						     assoc_req->HTCaps.present);
-					if (QDF_STATUS_SUCCESS != status) {
-						pe_warn("Re/Assoc rejected from: "
-							   MAC_ADDRESS_STR,
-							MAC_ADDR_ARRAY(
-								hdr->sa));
-						/*
-						 * rcvd Assoc req frame with WPA
-						 * IE but mismatch
-						 */
-						lim_send_assoc_rsp_mgmt_frame(
-							mac_ctx, status, 1,
-							hdr->sa, sub_type, 0,
-							session);
-						return false;
-					}
-				} else {
-					pe_warn("Re/Assoc rejected from: "
-						   MAC_ADDRESS_STR,
-						MAC_ADDR_ARRAY(hdr->sa));
-					/*
-					 * rcvd Assoc req frame with invalid WPA
-					 * IE
-					 */
-					lim_send_assoc_rsp_mgmt_frame(mac_ctx,
-						eSIR_MAC_INVALID_INFORMATION_ELEMENT_STATUS,
-						1, hdr->sa, sub_type, 0,
-						session);
-					return false;
-				} /* end - if(assoc_req->wpa.length) */
-			} /* end - if(assoc_req->wpaPresent) */
-		}
-		/*
-		 * end of if(session->pLimStartBssReq->privacy
-		 * && session->pLimStartBssReq->rsnIE->length)
-		 */
-	} /* end of if( ! assoc_req->wscInfo.present ) */
-	else {
+		    session->pLimStartBssReq->rsnIE.length)
+			return lim_check_wpa_rsn_ie(session, mac_ctx, sub_type,
+						hdr, assoc_req, pmf_connection);
+	} else {
 		pe_debug("Assoc req WSE IE is present");
 	}
 	return true;