Sfoglia il codice sorgente

qcacmn: Add frame length check in util_gen_link_reqrsp_cmn

While parsing probe response and assoc response frame,
timestamp data is copied to buffer variable without validating
the frame length. If received frame length is less than max
size of timestamp, this will lead Out-of-bound access.

Add frame length check with max size of timestamp before copying
from the frame received in util_gen_link_reqrsp_cmn.

Change-Id: I055ccc84d334316ecd772e19371d315274373c04
CRs-Fixed: 3699954
Vinod Kumar Myadam 1 anno fa
parent
commit
59d256f5ce
1 ha cambiato i file con 5 aggiunte e 0 eliminazioni
  1. 5 0
      umac/mlo_mgr/src/utils_mlo.c

+ 5 - 0
umac/mlo_mgr/src/utils_mlo.c

@@ -2998,6 +2998,11 @@ QDF_STATUS util_gen_link_reqrsp_cmn(uint8_t *frame, qdf_size_t frame_len,
 		frame_iesection_offset = WLAN_REASSOC_REQ_IES_OFFSET;
 	} else if (subtype == WLAN_FC0_STYPE_PROBE_RESP) {
 		frame_iesection_offset = WLAN_PROBE_RESP_IES_OFFSET;
+		if (frame_len < WLAN_TIMESTAMP_LEN) {
+			mlo_err("Frame length %zu is smaller than required timestamp length",
+				frame_len);
+			return QDF_STATUS_E_INVAL;
+		}
 		qdf_mem_copy(&tsf, frame, WLAN_TIMESTAMP_LEN);
 		tsf = qdf_le64_to_cpu(tsf);
 	} else {