From b6aa87c2911565f81fa4d2c65e6ceae472316d63 Mon Sep 17 00:00:00 2001 From: sheenam monga Date: Tue, 27 Jul 2021 22:33:19 +0530 Subject: [PATCH] qcacld-3.0: Validate sub_ele_len before calculating len Currently fw is allowed to provide ch_wr_ie len upto 20 bytes. If fw provides ie len > 20 bytes then driver may lead to access invalid memory. To find sub element, subelement len is calculated from total len without any validation. ele may point to invalid address when subelement which is calculated from ie len becomes > len. Fix is to compare ie len provided by fw with max ie len and validate subelement len and then proceed with subelement. Change-Id: I1a833c3828e4afc6e37ed27e008663152b6b5d86 CRs-Fixed: 2995818 --- core/wma/src/wma_features.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/core/wma/src/wma_features.c b/core/wma/src/wma_features.c index 0b9f87701f..35bc6617a1 100644 --- a/core/wma/src/wma_features.c +++ b/core/wma/src/wma_features.c @@ -79,6 +79,7 @@ * MCL platform. */ #define WMA_SET_VDEV_IE_SOURCE_HOST 0x0 +#define CH_WR_IE_MAX_LEN 20 /* * Max AMPDU Tx Aggr supported size @@ -1174,7 +1175,8 @@ wma_parse_ch_switch_wrapper_ie(uint8_t *ch_wr_ie, uint8_t sub_ele_id) ele = (struct ie_header *)ch_wr_ie; if (ele->ie_id != WLAN_ELEMID_CHAN_SWITCH_WRAP || - ele->ie_len == 0) + ele->ie_len == 0 || ele->ie_len > (CH_WR_IE_MAX_LEN - + sizeof(struct ie_header))) return NULL; len = ele->ie_len; @@ -1182,6 +1184,11 @@ wma_parse_ch_switch_wrapper_ie(uint8_t *ch_wr_ie, uint8_t sub_ele_id) while (len > 0) { sub_ele_len = sizeof(struct ie_header) + ele->ie_len; + if (sub_ele_len > len) { + wma_debug("invalid sub element len :%d id:%d ie len:%d", + sub_ele_len, ele->ie_id, ele->ie_len); + return NULL; + } len -= sub_ele_len; if (ele->ie_id == sub_ele_id) return (uint8_t *)ele;