qcacmn: OOB while accessing ML IE

Currently, in function "util_get_ml_bv_partner_link_info" driver access the ML IE memory with offset which is calculated from ML IE length and increment this offset with other values (such as perstaprof_stainfo_len). But this can lead to OOB for ML IE when this offset value is increment beyond ML IE length. So, to fix this, add check for offset before accessing ML IE. Change-Id: Ie7312ab3379fce16e5b0f83d07d46f263f774ed8 CRs-Fixed: 3710085
2024-01-29 12:55:49 +05:30
Parent f323c32b7d
--- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
@@ -2293,8 +2293,11 @@ util_get_ml_bv_partner_link_info(struct wlan_objmgr_pdev *pdev,
 	}

 	scan_entry->ml_info.num_links = link_idx;
-	if (!offset)
+	if (!offset ||
+	    (offset + sizeof(struct wlan_ml_bv_linfo_perstaprof) >= ml_ie_len)) {
+		scm_err_rl("incorrect offset value %d", offset);
 		return;
+	}

 	/* TODO: loop through all the STA info fields */

@@ -2338,6 +2341,10 @@ util_get_ml_bv_partner_link_info(struct wlan_objmgr_pdev *pdev,

 		/* Skip STA Info Length field */
 		offset += perstaprof_stainfo_len;
+		if (offset >= ml_ie_len) {
+			scm_err_rl("incorrect offset value %d", offset);
+			return;
+		}

 		/*
 		 * To point to the ie_list offset move past the STA Info