Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f75f0267 authored by Deeksha Gupta's avatar Deeksha Gupta
Browse files

wlan: Fix possible OOB in unpack_tlv_core 

Currently in UnpackTlvCore(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.

Fix is to validate the nBufRemaining size before calling
framesntohs().

Change-Id: Ia79a590efaa0d81f06eb66c2163da34f1932b18f
CRs-Fixed: 3048959
parent 8bde5cc1

CORE/MAC/src/include/dot11f.h

+2 −2
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.

 *

 * Previously licensed under the ISC license by Qualcomm Atheros, Inc.

 *
@@ -32,7 +32,7 @@ 
  * \brief Structures, function prototypes & definitions

  * for working with 802.11 Frames

  * This file was automatically generated by 'framesc'

  * Mon Jul 22 17:48:28 2019 from the following file(s):

  * Tue Oct  5 09:07:17 2021 from the following file(s):

  *

  * dot11f.frms

  *

CORE/SYS/legacy/src/utils/src/dot11f.c

+12 −4
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.

 *

 * Previously licensed under the ISC license by Qualcomm Atheros, Inc.

 *
@@ -30,7 +30,7 @@ 
  * \brief Structures, functions & definitions for

  * working with 802.11 Frames

  * This file was automatically generated by 'framesc'

  * Mon Jul 22 17:48:28 2019 from the following file(s):

  * Tue Oct  5 09:07:17 2021 from the following file(s):

  *

  * dot11f.frms

  *
@@ -23368,7 +23368,6 @@ static tANI_U32 UnpackTlvCore( tpAniSirGlobal pCtx, 
           // & length,

           if ( pTlv->sLen == 2)

           {

              framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);

              if ( 2 > nBufRemaining )

              {

                  FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
@@ -23377,6 +23376,7 @@ static tANI_U32 UnpackTlvCore( tpAniSirGlobal pCtx, 
                  FRAMES_DBG_BREAK();

                  goto MandatoryCheck;

              }

              framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);

              pBufRemaining += 2;

              nBufRemaining -= 2;

           }else
@@ -23388,9 +23388,16 @@ static tANI_U32 UnpackTlvCore( tpAniSirGlobal pCtx, 
        }

        else

        {

           if ( TLVs[0].sType > nBufRemaining )

           {

               FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "

                                               "fewer TLVs[0].sType byte(s) remaining.\n") );

               status |= DOT11F_INCOMPLETE_TLV;

               FRAMES_DBG_BREAK();

               goto MandatoryCheck;

           }

           pBufRemaining += TLVs[0].sType;

           nBufRemaining -= TLVs[0].sType;

           framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));

           if ( 2 > nBufRemaining )

           {

              FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
@@ -23399,6 +23406,7 @@ static tANI_U32 UnpackTlvCore( tpAniSirGlobal pCtx, 
              FRAMES_DBG_BREAK();

              goto MandatoryCheck;

           }

           framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));

           pBufRemaining += 2;

           nBufRemaining -= 2;

        }