qcacld-3.0: Fix potential OOB read in dot11f.c

In function get_container_ies_len, nBuf is passed from caller function
as length of the buffer remaining in the frame. len is calculated from
the length field present in the IE. Then find_ie_defn is called with
nBuf + len as buffer length available leading to potential OOB read
in the function find_ie_defn.
Also in function get_container_ies_len, if len is greater than nBuf,
OOB read would occur in the caller function unpack_core.

In function unpack_core, len is calculated from the length field in
the IE buffer, then the IE is parsed in one of the unpack functions
where len is decremented without any check for min value of len.
If the value of len obtained from the IE buffer is less than the
minSize of the IE, then an integer underflow would occur.

1. In function get_container_ies_len, change calling of find_ie_defn
to use nbuf - len.
2. In function get_container_ies_len, if len > nbuf, return error.
3. In function unpack_core, add sanity check to make sure len is not
less thatn IE's minSize.

Change-Id: I8e42fb7e9674845d152d2ec26a592e02a1b562ab
CRs-Fixed: 2153003

core/mac/src/include/dot11f.h

@@ -35,7 +35,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Thu Dec  7 00:22:18 2017 from the following file(s):
+ * Wed Dec 13 10:10:49 2017 from the following file(s):
  *
  * dot11f.frms
  *

core/mac/src/sys/legacy/src/utils/src/dot11f.c

@@ -33,7 +33,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Thu Dec  7 00:22:18 2017 from the following file(s):
+ * Wed Dec 13 10:10:49 2017 from the following file(s):
  *
  * dot11f.frms
  *
@@ -340,7 +340,7 @@ static uint32_t get_container_ies_len(tpAniSirGlobal pCtx,
 	pBufRemaining += len + 2;
 	len += 2;
 	while (len < nBuf) {
-		pIe = find_ie_defn(pCtx, pBufRemaining, nBuf + len, IEs);
+		pIe = find_ie_defn(pCtx, pBufRemaining, nBuf - len, IEs);
 		if (NULL == pIe)
 			break;
 		if (pIe->eid == pIeFirst->eid)
@@ -349,7 +349,7 @@ static uint32_t get_container_ies_len(tpAniSirGlobal pCtx,
 		pBufRemaining += *(pBufRemaining + 1) + 2;
 	}
 
-	if (len > 0xFF)
+	if ((len > 0xFF) || (len > nBuf))
 		return DOT11F_INTERNAL_ERROR;
 	*pnConsumed = len;
 	return DOT11F_PARSE_SUCCESS;
@@ -10571,11 +10571,15 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
 		}
 
 		if (pIe) {
-			if (nBufRemaining < pIe->minSize - pIe->noui - 2U) {
-				FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must be "
-					"at least %d bytes in size, but there are onl"
-					"y %d bytes remaining in this frame.\n"),
-					pIe->name, pIe->minSize, nBufRemaining);
+			if ((nBufRemaining < pIe->minSize - pIe->noui - 2U) ||
+			    (len < pIe->minSize - pIe->noui - 2U)) {
+				FRAMES_LOG4(pCtx, FRLOGW, FRFL("The IE %s must "
+					"be at least %d bytes in size, but "
+					"there are only %d bytes remaining in "
+					"this frame or the IE reports a size "
+					"of %d bytes.\n"),
+					pIe->name, pIe->minSize, nBufRemaining,
+					(len + pIe->noui + 2U));
 				FRAMES_DUMP(pCtx, FRLOG1, pBuf, nBuf);
 				status |= DOT11F_INCOMPLETE_IE;
 				FRAMES_DBG_BREAK();