Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 55e0868b authored Jan 30, 2020 by Abhishek Ambure

wlan: Remove off-by-one write condition in sch_beacon_process

In the API, the driver inserts 0 after the SSID name, to mark the
end of the ssid, but if the SSID name is 32 characters which is
the max SSID length possible, the driver puts 0 at the 33rd
place of memory which is not the part of the SSID name, which
results in OOB write, or off-by-one write condition.

Fix is to remove the addition of 0 after ssid, as in every
case the driver prints the ssid, taking the ssid length
as the input, and in that case insertion of 0 will not serve
any purpose.

Change-Id: I1d58026ec9f48fe9d00bd2f50783c65899588978
CRs-Fixed: 2598900

parent 5307dd91

CORE/MAC/inc/sirMacProtDef.h

+2 −2

Original line number	Diff line number	Diff line
		@@ -1103,11 +1103,11 @@ typedef __ani_attr_pre_packed struct sSirMacRateSet
		tANI_U8 rate[SIR_MAC_RATESET_EID_MAX];
		} __ani_attr_packed tSirMacRateSet;


		//Reserve 1 byte for NULL character in the SSID name field to print in %s
		typedef __ani_attr_pre_packed struct sSirMacSSid
		{
		tANI_U8 length;
		tANI_U8 ssId[32];
		tANI_U8 ssId[SIR_MAC_MAX_SSID_LENGTH + 1];
		} __ani_attr_packed tSirMacSSid;

		typedef __ani_attr_pre_packed struct sSirMacWpaInfo

CORE/MAC/src/pe/sch/schBeaconProcess.c

+0 −4

Original line number	Diff line number	Diff line
		@@ -759,10 +759,6 @@ void schBeaconProcess(tpAniSirGlobal pMac, tANI_U8* pRxPacketInfo, tpPESession p

		return;
		}
		if (beaconStruct.ssidPresent)
		{
		beaconStruct.ssId.ssId[beaconStruct.ssId.length] = 0;
		}

		/*
		* First process the beacon in the context of any existing AP or BTAP session.