Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b0f95f51 authored by gaurank kathpalia's avatar gaurank kathpalia Committed by Gerrit - the friendly Code Review server
Browse files

wlan: Fix OOB read in limProcessDeauthFrame 

Propagation from cld2.0 to prima
In the API limProcessDeauthFrame, the reason-code is
fetched from the payload, and it may happen that the
payload received is empty, and the MPDU just contains the
header, so the driver may access the memory not allocated
to the frame, thus resulting in a OOB read.

Fix is to have a min length check of 16 bits for the
reason code before accessing it.

Change-Id: I7e7a435ba049356c13fb10240f4abb9bf6219af4
CRs-Fixed: 2341590
parent a1869737

CORE/MAC/src/pe/lim/limProcessDeauthFrame.c

+7 −4
Original line number Diff line number Diff line
@@ -71,15 +71,19 @@ limProcessDeauthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession p 
    tpDphHashNode     pStaDs;

    tpPESession       pRoamSessionEntry=NULL;

    tANI_U8           roamSessionId;

#ifdef WLAN_FEATURE_11W

    tANI_U32          frameLen;

#endif





    pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo);



    pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo);



    frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);

    if (frameLen < sizeof(reasonCode)) {

        PELOGE(limLog(pMac, LOGE,

                      FL("received invalid framelen %d"), frameLen);)

        return;

    }



    if ((eLIM_STA_ROLE == psessionEntry->limSystemRole) &&

        ((eLIM_SME_WT_DISASSOC_STATE == psessionEntry->limSmeState) ||

         (eLIM_SME_WT_DEAUTH_STATE == psessionEntry->limSmeState)))
@@ -126,7 +130,6 @@ limProcessDeauthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession p 
        PELOGE(limLog(pMac, LOGE, FL("received an unprotected deauth from AP"));)

        // If the frame received is unprotected, forward it to the supplicant to initiate

        // an SA query

        frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);



        //send the unprotected frame indication to SME

        limSendSmeUnprotectedMgmtFrameInd( pMac, pHdr->fc.subType,