Commit 762ed1e5 authored Sep 05, 2019 by Sourav Mohapatra Committed by nshrivas Jan 31, 2020

qcacld-3.0: Prevent possible OOB access in hdd_sendactionframe

In the function hdd_sendactionframe, the parameters passed include the
payload and the corresponding payload length; payload being generic
pointer. The payload is then typecasted into the destination structure
of type tpSirMacVendorSpecificFrameHdr. If the size of the payload
specified in payload_len is less than the size of the destination
structure, there is possiblility of OOB read while accessing the same.

To prevent this security vulnerability, add a sanity check for the
payload_len against the size of the destination structure.

Change-Id: Ib0e7b7bfcf78412d81f18cf887e5296d80272598
CRs-Fixed: 2517858

parent c26c742d

core/hdd/src/wlan_hdd_ioctl.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -1540,6 +1540,11 @@ hdd_sendactionframe(struct hdd_adapter adapter, const uint8_t bssid,
		struct cfg80211_mgmt_tx_params params;
		#endif

		if (payload_len < sizeof(tSirMacVendorSpecificFrameHdr)) {
		hdd_warn("Invalid payload length: %d", payload_len);
		return -EINVAL;
		}

		if (QDF_STA_MODE != adapter->device_mode) {
		hdd_warn("Unsupported in mode %s(%d)",
		qdf_opmode_str(adapter->device_mode),