samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Add frame length check in util_gen_link_reqrsp_cmn

Browse Source 
While parsing probe response and assoc response frame,
timestamp data is copied to buffer variable without validating
the frame length. If received frame length is less than max
size of timestamp, this will lead Out-of-bound access.

Add frame length check with max size of timestamp before copying
from the frame received in util_gen_link_reqrsp_cmn.

Change-Id: I055ccc84d334316ecd772e19371d315274373c04
CRs-Fixed: 3699954
This commit is contained in:
Vinod Kumar Myadam
2024-01-09 10:44:31 +05:30
committed by Ravindra Konda
parent 924e277dd2
commit 59d256f5ce
1 changed files with 5 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
umac/mlo_mgr/src/utils_mlo.c
View File

@@ -2998,6 +2998,11 @@ QDF_STATUS util_gen_link_reqrsp_cmn(uint8_t *frame, qdf_size_t frame_len,
frame_iesection_offset = WLAN_REASSOC_REQ_IES_OFFSET; frame_iesection_offset = WLAN_REASSOC_REQ_IES_OFFSET;
} else if (subtype == WLAN_FC0_STYPE_PROBE_RESP) { } else if (subtype == WLAN_FC0_STYPE_PROBE_RESP) {
frame_iesection_offset = WLAN_PROBE_RESP_IES_OFFSET; frame_iesection_offset = WLAN_PROBE_RESP_IES_OFFSET;
if (frame_len < WLAN_TIMESTAMP_LEN) {
mlo_err("Frame length %zu is smaller than required timestamp length",
frame_len);
return QDF_STATUS_E_INVAL;
}
qdf_mem_copy(&tsf, frame, WLAN_TIMESTAMP_LEN); qdf_mem_copy(&tsf, frame, WLAN_TIMESTAMP_LEN);
tsf = qdf_le64_to_cpu(tsf); tsf = qdf_le64_to_cpu(tsf);
} else { } else {