qcacmn: Possible OOB read while parsing MBSSID IE
If MBSSID ie contains only header and no payload then current logic can cause OOB read. Added validation check for length of IE before accessing MBSSID IE payload. Change-Id: Id8b34e5f516f1a1c85bc7d93d9128cad29393e9d CRs-Fixed: 2838631
This commit is contained in:

zatwierdzone przez
Madan Koyyalamudi

rodzic
05f4bb3104
commit
3858136edf
@@ -2689,7 +2689,7 @@ util_scan_parse_beacon_frame(struct wlan_objmgr_pdev *pdev,
|
||||
struct wlan_frame_hdr *hdr;
|
||||
uint8_t *mbssid_ie = NULL;
|
||||
uint32_t ie_len = 0;
|
||||
QDF_STATUS status;
|
||||
QDF_STATUS status = QDF_STATUS_E_FAILURE;
|
||||
struct scan_mbssid_info mbssid_info = { 0 };
|
||||
|
||||
hdr = (struct wlan_frame_hdr *)frame;
|
||||
@@ -2702,6 +2702,10 @@ util_scan_parse_beacon_frame(struct wlan_objmgr_pdev *pdev,
|
||||
mbssid_ie = util_scan_find_ie(WLAN_ELEMID_MULTIPLE_BSSID,
|
||||
(uint8_t *)&bcn->ie, ie_len);
|
||||
if (mbssid_ie) {
|
||||
if (mbssid_ie[1] <= 0) {
|
||||
scm_debug("MBSSID IE length is wrong %d", mbssid_ie[1]);
|
||||
return status;
|
||||
}
|
||||
qdf_mem_copy(&mbssid_info.trans_bssid,
|
||||
hdr->i_addr3, QDF_MAC_ADDR_SIZE);
|
||||
mbssid_info.profile_count = 1 << mbssid_ie[2];
|
||||
|
Reference in New Issue
Block a user