Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit eb7a62f9 authored by Deeksha Gupta's avatar Deeksha Gupta
Browse files

wlan: Fix possible OOB in UnpackTlvCore 

Currently in UnpackTlvCore(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.

Fix is to validate the nBufRemaining size before calling
framesntohs().

Change-Id: I192dd5b0c68813d01b47011f490d6099049bcda3
CRs-Fixed: 3056532
parent 2155f6c3

CORE/BAP/src/btampHCI.c

+29 −3
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2013 The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2013, 2021 The Linux Foundation. All rights reserved.

 *

 * Previously licensed under the ISC license by Qualcomm Atheros, Inc.

 *
@@ -2873,10 +2873,36 @@ static v_U32_t UnpackTlvCore( void * pCtx, 
        else { 

            id = *pBufRemaining; 

        }

	if ( sType > nBufRemaining )

	{

            FRAMES_LOG0( pCtx, FRLOGE, FRFL( "This frame reports "

                         "fewer sType byte(s) remaining.\n" ) );

            status |= BTAMP_INCOMPLETE_TLV;

            FRAMES_DBG_BREAK();

            goto MandatoryCheck;

	}

        pBufRemaining += sType;

        nBufRemaining -= sType;

        // & length,

	if ( 2 > nBufRemaining )

	{

	    FRAMES_LOG0( pCtx, FRLOGE, FRFL( "This frame reports "

			 "fewer two byte(s) remaining.\n" ) );

	    status |= BTAMP_INCOMPLETE_TLV;

	    FRAMES_DBG_BREAK();

	    goto MandatoryCheck;

	}



	framesntohs(pCtx, &len, pBufRemaining, 1);



	if ( sLen > nBufRemaining )

	{

	    FRAMES_LOG0( pCtx, FRLOGE, FRFL( "This frame reports "

			 "fewer sLen byte(s) remaining.\n" ) );

	    status |= BTAMP_INCOMPLETE_TLV;

	    FRAMES_DBG_BREAK();

	    goto MandatoryCheck;

	}

	pBufRemaining += sLen;

        nBufRemaining -= sLen;