Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 635a5165 authored by Krupali Dhanvijay's avatar Krupali Dhanvijay
Browse files

qcacmn: Fix out of bound read issue in ESP ie parse 

While parsing ESP IE from beacon/probe response frame,
the condition in loop to copy ESP_INFO from the ESP IE is
incorrect which will iterate for 5 times rather than 4 times,
this may cause OOB access.

data < ((uint8_t *)esp_ie + esp_ie->esp_len + 3)
Here adding 3 for esp_ie->esp_len, actually esp_len itself is
1 byte extra (esp_ len = ESP_ID_EXTN + ESP_INFO * 4),
but by adding 3 again will loop for one more iteration
this will cause OOB access.

Remove 3 in loop condition to avoid one more extra iteration
and ignore ESP_ID_EXTN element for total elements, in function
util_scan_update_esp_data.

Change-Id: Ia9226e483672369af36c6914e3ac914fe9de45e5
CRs-Fixed: 3710081
parent 7cfc3cf2

umac/scan/dispatcher/src/wlan_scan_utils_api.c

+4 −2
Original line number Original line Diff line number Diff line 
/*

/*

 * Copyright (c) 2017-2021 The Linux Foundation. All rights reserved.

 * Copyright (c) 2017-2021 The Linux Foundation. All rights reserved.

 * Copyright (c) 2024 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the

 * any purpose with or without fee is hereby granted, provided that the
@@ -795,7 +796,8 @@ static void util_scan_update_esp_data(struct wlan_esp_ie *esp_information, 
	esp_ie = (struct wlan_esp_ie *)

	esp_ie = (struct wlan_esp_ie *)

		util_scan_entry_esp_info(scan_entry);

		util_scan_entry_esp_info(scan_entry);





	total_elements  = esp_ie->esp_len;

	// Ignore ESP_ID_EXTN element

	total_elements  = esp_ie->esp_len - 1;

	data = (uint8_t *)esp_ie + 3;

	data = (uint8_t *)esp_ie + 3;

	do_div(total_elements, ESP_INFORMATION_LIST_LENGTH);

	do_div(total_elements, ESP_INFORMATION_LIST_LENGTH);
@@ -805,7 +807,7 @@ static void util_scan_update_esp_data(struct wlan_esp_ie *esp_information, 
	}

	}





	for (i = 0; i < total_elements &&

	for (i = 0; i < total_elements &&

	     data < ((uint8_t *)esp_ie + esp_ie->esp_len + 3); i++) {

	     data < ((uint8_t *)esp_ie + esp_ie->esp_len); i++) {

		esp_info = (struct wlan_esp_info *)data;

		esp_info = (struct wlan_esp_info *)data;

		if (esp_info->access_category == ESP_AC_BK) {

		if (esp_info->access_category == ESP_AC_BK) {

			qdf_mem_copy(&esp_information->esp_info_AC_BK,

			qdf_mem_copy(&esp_information->esp_info_AC_BK,