Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ad155b85 authored by Gururaj Pandurangi's avatar Gururaj Pandurangi Committed by Madan Koyyalamudi
Browse files

qcacld-3.0: Avoid OOB read in sch_get_csa_ecsa_count_offset 

Avoid OOB read in sch_get_csa_ecsa_count_offset API by
adding check for ie_len before subtracting element ID len
from it.

Change-Id: Id86e69b2c5abc37a4f33125dc5fd0bd1d92f64a7
CRs-Fixed: 3049251
parent f9b5f8c5

core/mac/src/pe/sch/sch_beacon_gen.c

+4 −1
Original line number Diff line number Diff line
@@ -167,7 +167,7 @@ sch_append_addn_ie(struct mac_context *mac_ctx, struct pe_session *session, 


/**

 * sch_get_csa_ecsa_count_offset() - get the offset of Switch count field

 * @ie: pointer to the beggining of IEs in the beacon frame buffer

 * @ie: pointer to the beginning of IEs in the beacon frame buffer

 * @ie_len: length of the IEs in the buffer

 * @csa_count_offset: pointer to the csa_count_offset variable in the caller

 * @ecsa_count_offset: pointer to the ecsa_count_offset variable in the caller
@@ -206,6 +206,9 @@ static void sch_get_csa_ecsa_count_offset(uint8_t *ie, uint32_t ie_len, 
			*ecsa_count_offset = offset +

					SCH_ECSA_SWITCH_COUNT_OFFSET;



		if (ie_len < elem_len)

			return;



		ie_len -= elem_len;

		offset += elem_len;

		ptr += (elem_len + 2);