qcacld-3.0: Avoid OOB read in dot11f_unpack_assoc_response

Avoid OOB read in dot11f_unpack_assoc_response API. Modify
the check to nBuf-len > 1 to read another byte of pBufRemaining.
This ensures a read of at least 2 bytes since all IEs have
at least 2 bytes.

Change-Id: Ic6756c11c05e68f0af5227971ce8b16a6c7e012a
CRs-Fixed: 3104235

core/mac/src/include/dot11f.h

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2012-2021 The Linux Foundation. All rights reserved.
- * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2021-2022 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -27,7 +27,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Fri Nov 19 01:58:42 2021 from the following file(s):
+ * Tue Jan  4 11:29:43 2022 from the following file(s):
  *
  * dot11f.frms
  *

core/mac/src/sys/legacy/src/utils/src/dot11f.c

@@ -1,6 +1,6 @@
 /*
  * Copyright (c) 2012-2021 The Linux Foundation. All rights reserved.
- * Copyright (c) 2021 Qualcomm Innovation Center, Inc. All rights reserved.
+ * Copyright (c) 2021-2022 Qualcomm Innovation Center, Inc. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -25,7 +25,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Fri Nov 19 01:58:42 2021 from the following file(s):
+ * Tue Jan  4 11:29:43 2022 from the following file(s):
  *
  * dot11f.frms
  *
@@ -336,7 +336,7 @@ static uint32_t get_container_ies_len(tpAniSirGlobal pCtx,
 	len += *(pBufRemaining+1);
 	pBufRemaining += len + 2;
 	len += 2;
-	while (len < nBuf) {
+	while (len + 1 < nBuf) {
 		pIe = find_ie_defn(pCtx, pBufRemaining, nBuf - len, IEs);
 		if (NULL == pIe)
 			break;
@@ -16274,25 +16274,30 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal   pCtx,
 			}
 			/* & length, */
 			if (pTlv->sLen == 2) {
-				framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
 				if (2 > nBufRemaining) {
 					FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "
 							"fewer two byte(s) remaining.\n"));
 					status |= DOT11F_INCOMPLETE_TLV;
 					FRAMES_DBG_BREAK();
 					goto MandatoryCheck;
-			}
-			pBufRemaining += 2;
-			nBufRemaining -= 2;
+				}
+				framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
+				pBufRemaining += 2;
+				nBufRemaining -= 2;
 			} else {
 				len = *pBufRemaining;
 				pBufRemaining += 1;
 				nBufRemaining -= 1;
 			}
 		} else {
+			if (TLVs[0].sType > nBufRemaining) {
+				FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "
+					     "fewer LVs[0].sType byte(s) remaining.\n"));
+				status |= DOT11F_INCOMPLETE_TLV;
+				goto MandatoryCheck;
+			}
 			pBufRemaining += TLVs[0].sType;
 			nBufRemaining -= TLVs[0].sType;
-			framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
 			if (2 > nBufRemaining) {
 				FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "
 					     "fewer two byte(s) remaining.\n"));
@@ -16300,6 +16305,7 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal   pCtx,
 				FRAMES_DBG_BREAK();
 				goto MandatoryCheck;
 			}
+			framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
 			pBufRemaining += 2;
 			nBufRemaining -= 2;
 		}