Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 17937822 authored by Pragaspathi Thilagaraj's avatar Pragaspathi Thilagaraj
Browse files

wlan: Fix integer overflow in rrm_fill_beacon_ies() 

In function rrm_fill_beacon_ies, the total IE length is
calculated as sum of length field of the IE and 2 (element id 1
byte and IE length field 1 byte). The total IE length is defined
of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe.
Validate the len against total IE length to avoid overflow.

Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2617004
parent 186f0ba1

CORE/MAC/src/pe/rrm/rrmApi.c

+10 −2
Original line number Diff line number Diff line
@@ -678,7 +678,8 @@ rrmFillBeaconIes( tpAniSirGlobal pMac, 
                  tANI_U8 *eids, tANI_U8 numEids,

                  tpSirBssDescription pBssDesc )

{

   tANI_U8 len, *pBcnIes, BcnNumIes, count = 0, i;

   tANI_U8 len, *pBcnIes, count = 0, i;

   tANI_U16 BcnNumIes = 0;



   if( (pIes == NULL) || (pNumIes == NULL) || (pBssDesc == NULL) )

   {
@@ -705,10 +706,17 @@ rrmFillBeaconIes( tpAniSirGlobal pMac, 


   while ( BcnNumIes > 0 )

   {

      len = *(pBcnIes + 1) + 2; //element id + length.

      len = *(pBcnIes + 1); //element id + length.

      len += 2;

      limLog( pMac, LOG3, "EID = %d, len = %d total = %d",

             *pBcnIes, *(pBcnIes+1), len );



      if (BcnNumIes < len || len <= 2) {

          limLog(pMac, LOGE, "RRM: Invalid IE len:%d exp_len:%d",

                 len, BcnNumIes);

          break;

      }



      i = 0;

      do

      {