ソースを参照

qcacmn: Add length checks for noninheritance_ie

In util_scan_find_noninheritance_ie API,
ies[ELEM_ID_EXTN_POS] may lead to OOB access if
len==MIN_IE_LEN.

util_parse_noninheritance_list may lead to OOB
read access extn_elem[ELEM_ID_LIST_LEN_POS]

Fix is to add length checks and add sub_copy and length
subie_len checks before accessing extn_elem to avoid any
OOB read.

Change-Id: I7758c6e4d8d568a5050011603b48a23e0b11da94
CRs-Fixed: 3717569
Sheenam Monga 1 年間 前
コミット
5daee8fcbe
1 ファイル変更7 行追加4 行削除
  1. 7 4
      umac/scan/dispatcher/src/wlan_scan_utils_api.c

+ 7 - 4
umac/scan/dispatcher/src/wlan_scan_utils_api.c

@@ -2691,7 +2691,8 @@ static uint8_t
 	if (!ies)
 		return NULL;
 
-	while (len >= MIN_IE_LEN && len >= ies[TAG_LEN_POS] + MIN_IE_LEN) {
+	while ((len >= MIN_IE_LEN + 1) && len >= ies[TAG_LEN_POS] + MIN_IE_LEN)
+	{
 		if ((ies[ID_POS] == elem_id) &&
 		    (ies[ELEM_ID_EXTN_POS] ==
 		     WLAN_EXTN_ELEMID_NONINHERITANCE)) {
@@ -3091,9 +3092,11 @@ static uint32_t util_gen_new_ie(struct wlan_objmgr_pdev *pdev,
 	extn_elem = util_scan_find_noninheritance_ie(WLAN_ELEMID_EXTN_ELEM,
 						     sub_copy, subie_len);
 
-	if (extn_elem && extn_elem[TAG_LEN_POS]) {
-		util_parse_noninheritance_list(extn_elem, &elem_list,
-					       &extn_elem_list, &ninh);
+	if (extn_elem && extn_elem[TAG_LEN_POS] >= VALID_ELEM_LEAST_LEN) {
+		if (((extn_elem + extn_elem[1] + MIN_IE_LEN) - sub_copy)
+		    < subie_len)
+			util_parse_noninheritance_list(extn_elem, &elem_list,
+						       &extn_elem_list, &ninh);
 	}
 
 	/* go through IEs in ie (skip SSID) and subelement,