浏览代码

qcacmn: Add frame length check in util_gen_link_reqrsp_cmn

While parsing probe response and assoc response frame,
timestamp data is copied to buffer variable without validating
the frame length. If received frame length is less than max
size of timestamp, this will lead Out-of-bound access.

Add frame length check with max size of timestamp before copying
from the frame received in util_gen_link_reqrsp_cmn.

Change-Id: I055ccc84d334316ecd772e19371d315274373c04
CRs-Fixed: 3699954
Vinod Kumar Myadam 1 年之前
父节点
当前提交
59d256f5ce
共有 1 个文件被更改,包括 5 次插入0 次删除
  1. 5 0
      umac/mlo_mgr/src/utils_mlo.c

+ 5 - 0
umac/mlo_mgr/src/utils_mlo.c

@@ -2998,6 +2998,11 @@ QDF_STATUS util_gen_link_reqrsp_cmn(uint8_t *frame, qdf_size_t frame_len,
 		frame_iesection_offset = WLAN_REASSOC_REQ_IES_OFFSET;
 	} else if (subtype == WLAN_FC0_STYPE_PROBE_RESP) {
 		frame_iesection_offset = WLAN_PROBE_RESP_IES_OFFSET;
+		if (frame_len < WLAN_TIMESTAMP_LEN) {
+			mlo_err("Frame length %zu is smaller than required timestamp length",
+				frame_len);
+			return QDF_STATUS_E_INVAL;
+		}
 		qdf_mem_copy(&tsf, frame, WLAN_TIMESTAMP_LEN);
 		tsf = qdf_le64_to_cpu(tsf);
 	} else {