samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix OOB read of ML IE

Browse Source 
In util_get_bvmlie_bssparamchangecnt() and util_get_bvmlie_mldcap(),
fix the possible OOB read of the ML IE, if the ML IE length is less
than the minimum template of Basic variant ML probe response.

Change-Id: I50efaba682a1e42ef8befe09224edc34de9c8c7b
CRs-Fixed: 3700045
This commit is contained in:
Surya Prakash Sivaraj
2024-01-09 15:58:36 +05:30
committed by Ravindra Konda
parent 24073c30bf
commit 8536ce5d51
1 changed files with 27 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
umac/mlo_mgr/src/utils_mlo.c
View File

@@ -4057,6 +4057,27 @@ util_find_mlie(uint8_t *buf, qdf_size_t buflen, uint8_t **mlieseq,
return QDF_STATUS_SUCCESS; return QDF_STATUS_SUCCESS;
} }
static inline QDF_STATUS
util_validate_bv_mlie_min_seq_len(qdf_size_t mlieseqlen)
{
qdf_size_t parsed_len = sizeof(struct wlan_ie_multilink);
if (mlieseqlen < parsed_len + WLAN_ML_BV_CINFO_LENGTH_SIZE) {
mlo_err_rl("ML seq payload of len %zu doesn't accommodate the mandatory BV ML IE Common info len field",
mlieseqlen);
return QDF_STATUS_E_PROTO;
}
parsed_len += WLAN_ML_BV_CINFO_LENGTH_SIZE;
if (mlieseqlen < parsed_len + QDF_MAC_ADDR_SIZE) {
mlo_err_rl("ML seq payload of len %zu doesn't accommodate the mandatory MLD addr",
mlieseqlen);
return QDF_STATUS_E_PROTO;
}
return QDF_STATUS_SUCCESS;
}
QDF_STATUS QDF_STATUS
util_find_mlie_by_variant(uint8_t *buf, qdf_size_t buflen, uint8_t **mlieseq, util_find_mlie_by_variant(uint8_t *buf, qdf_size_t buflen, uint8_t **mlieseq,
qdf_size_t *mlieseqlen, int variant) qdf_size_t *mlieseqlen, int variant)
@@ -4195,6 +4216,9 @@ util_get_bvmlie_bssparamchangecnt(uint8_t *mlieseq, qdf_size_t mlieseqlen,
presencebitmap = QDF_GET_BITS(mlcontrol, WLAN_ML_CTRL_PBM_IDX, presencebitmap = QDF_GET_BITS(mlcontrol, WLAN_ML_CTRL_PBM_IDX,
WLAN_ML_CTRL_PBM_BITS); WLAN_ML_CTRL_PBM_BITS);
if (QDF_IS_STATUS_ERROR(util_validate_bv_mlie_min_seq_len(mlieseqlen)))
return QDF_STATUS_E_INVAL;
commoninfo = mlieseq + sizeof(struct wlan_ie_multilink); commoninfo = mlieseq + sizeof(struct wlan_ie_multilink);
commoninfolen = *(mlieseq + sizeof(struct wlan_ie_multilink)); commoninfolen = *(mlieseq + sizeof(struct wlan_ie_multilink));
@@ -4584,6 +4608,9 @@ util_get_bvmlie_mldcap(uint8_t *mlieseq, qdf_size_t mlieseqlen,
presencebitmap = QDF_GET_BITS(mlcontrol, WLAN_ML_CTRL_PBM_IDX, presencebitmap = QDF_GET_BITS(mlcontrol, WLAN_ML_CTRL_PBM_IDX,
WLAN_ML_CTRL_PBM_BITS); WLAN_ML_CTRL_PBM_BITS);
if (QDF_IS_STATUS_ERROR(util_validate_bv_mlie_min_seq_len(mlieseqlen)))
return QDF_STATUS_E_INVAL;
commoninfo = mlieseq + sizeof(struct wlan_ie_multilink); commoninfo = mlieseq + sizeof(struct wlan_ie_multilink);
commoninfo_len = *(mlieseq + sizeof(struct wlan_ie_multilink)); commoninfo_len = *(mlieseq + sizeof(struct wlan_ie_multilink));
/* mldcap_offset stores the offset of MLD Capabilities within /* mldcap_offset stores the offset of MLD Capabilities within