Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6518a299 authored by Wu Gao's avatar Wu Gao Committed by Dundi Raviteja
Browse files

wlan: Fix potential OOB read when indicate mgmt frame 

qcacld-2.0 to prima propagation.

In function __hdd_indicate_mgmt_frame, it doesn't check mgmt frame
length and access pointer to frame, which cause OOB read potentially.
So, check frame length before access pointer to frame.

Change-Id: Id2bd4276838f1eae49e8a24e8ab3361a69321a69
CRs-Fixed: 2525198
parent 1a9dbcf1

CORE/HDD/src/wlan_hdd_p2p.c

+7 −2
Original line number Diff line number Diff line
@@ -2763,6 +2763,7 @@ void __hdd_indicate_mgmt_frame(hdd_adapter_t *pAdapter, 
    /* Get pAdapter from Destination mac address of the frame */

    if ((type == SIR_MAC_MGMT_FRAME) &&

        (subType != SIR_MAC_MGMT_PROBE_REQ) &&

        (nFrameLength > WLAN_HDD_80211_FRM_DA_OFFSET + VOS_MAC_ADDR_SIZE) &&

        !vos_is_macaddr_broadcast(

         (v_MACADDR_t *)&pbFrames[WLAN_HDD_80211_FRM_DA_OFFSET]))

    {
@@ -2833,12 +2834,16 @@ void __hdd_indicate_mgmt_frame(hdd_adapter_t *pAdapter, 
    cfgState = WLAN_HDD_GET_CFG_STATE_PTR( pAdapter );



    if ((type == SIR_MAC_MGMT_FRAME) &&

        (subType == SIR_MAC_MGMT_ACTION))

        (subType == SIR_MAC_MGMT_ACTION) &&

        (nFrameLength > WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET + 1))

    {

        if(pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET] == WLAN_HDD_PUBLIC_ACTION_FRAME)

        {

            // public action frame

            if((pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+1] == SIR_MAC_ACTION_VENDOR_SPECIFIC) &&

            if((WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET + SIR_MAC_P2P_OUI_SIZE + 2 <

                nFrameLength) &&

               (pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+1] ==

                SIR_MAC_ACTION_VENDOR_SPECIFIC) &&

                vos_mem_compare(&pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+2], SIR_MAC_P2P_OUI, SIR_MAC_P2P_OUI_SIZE))

            // P2P action frames

            {