samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies()

Browse Source 
In rrm_fill_beacon_ies(), the len is the total length of
IE + 2 bytes for element ID (1 byte) and length of the
IE(1 byte). Length is defined of type uint8_t and can have
only values upto 255. When the IE content length is 254,
adding 2 bytes to this will cause the len to overflow
resulting in continuous loop in rrm_fill_beacon_ies.

Change the len type to uint16_t to avoid integer overflow.

Change-Id: Id6a6bcce150f778e24316ccc5fb51c6e2a95fc5e
CRs-Fixed: 2537774
This commit is contained in:
Pragaspathi Thilagaraj
2019-09-30 12:32:52 +05:30
committed by nshrivas
parent 2feaa0a946
commit 3548a66560
1 changed files with 17 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
core/mac/src/pe/rrm/rrm_api.c
View File

@@ -650,37 +650,28 @@ rrm_process_beacon_report_req(struct mac_context *mac,
return eRRM_SUCCESS;
}
/* -------------------------------------------------------------------- */
/**
* rrm_fill_beacon_ies
*
* FUNCTION:
*
* LOGIC: Fills Fixed fields and Ies in bss description to an array of uint8_t.
*
* ASSUMPTIONS:
*
* NOTE:
*
* @param pIes - pointer to the buffer that should be populated with ies.
* @param pNumIes - returns the num of ies filled in this param.
* @param pIesMaxSize - Max size of the buffer pIes.
* @param eids - pointer to array of eids. If NULL, all ies will be populated.
* @param numEids - number of elements in array eids.
* rrm_fill_beacon_ies() - Fills fixed fields and Ies in bss description to an
* array of uint8_t.
* @pIes - pointer to the buffer that should be populated with ies.
* @pNumIes - returns the num of ies filled in this param.
* @pIesMaxSize - Max size of the buffer pIes.
* @eids - pointer to array of eids. If NULL, all ies will be populated.
* @numEids - number of elements in array eids.
* @start_offset: Offset from where the IEs in the bss_desc should be parsed
* @param bss_desc - pointer to Bss Description.
* @bss_desc - pointer to Bss Description.
*
* Returns: Remaining length of IEs in current bss_desc which are not included
* in pIes.
* Return: Remaining length of IEs in current bss_desc which are not included
* in pIes.
*/
static uint8_t
rrm_fill_beacon_ies(struct mac_context *mac,
uint8_t *pIes, uint8_t *pNumIes, uint8_t pIesMaxSize,
uint8_t *eids, uint8_t numEids, uint8_t start_offset,
rrm_fill_beacon_ies(struct mac_context *mac, uint8_t *pIes,
uint8_t *pNumIes, uint8_t pIesMaxSize, uint8_t *eids,
uint8_t numEids, uint8_t start_offset,
struct bss_description *bss_desc)
{
uint8_t len, *pBcnIes, count = 0, i;
uint16_t BcnNumIes, total_ies_len;
uint8_t *pBcnIes, count = 0, i;
uint16_t BcnNumIes, total_ies_len, len;
uint8_t rem_len = 0;
if ((!pIes) || (!pNumIes) || (!bss_desc)) {
@@ -729,8 +720,8 @@ rrm_fill_beacon_ies(struct mac_context *mac,
pe_debug("EID = %d, len = %d total = %d",
*pBcnIes, *(pBcnIes + 1), len);
if (!len) {
pe_err("Invalid length");
if (len <= 2) {
pe_err("RRM: Invalid IE");
break;
}