Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b270d228 authored by Jyoti Kumari's avatar Jyoti Kumari Committed by Madan Koyyalamudi
Browse files

qcacmn: Fix OOB read issue in SSID ie 

During beacon or probe response, if channel is dfs && frame type
is MGMT_SUBTYPE_BEACON, it would call "util_scan_add_hidden_ssid"
to deal with the packet. If the ie id matches with SSID then OOB
read may occur in ie_len as it is validated with upper bound of
ie_ssid.

Validate the ie length first. If it is more than 0 then copy
memory to SSID which are equivalent to ie length.

Change-Id: Ib5e2ab7f6f3337d4c3e5c240e3133d8f276be50a
CRs-Fixed: 3007473
parent 577c692f

umac/scan/dispatcher/src/wlan_scan_utils_api.c

+12 −5
Original line number Diff line number Diff line
@@ -1374,7 +1374,7 @@ util_scan_add_hidden_ssid(struct wlan_objmgr_pdev *pdev, qdf_nbuf_t bcnbuf) 
	uint16_t tmplen, ie_length;

	uint8_t *pbeacon, *tmp;

	bool     set_ssid_flag = false;

	struct ie_ssid *ssid;

	struct ie_ssid ssid = {0};

	uint8_t pdev_id;



	if (!pdev) {
@@ -1423,8 +1423,15 @@ util_scan_add_hidden_ssid(struct wlan_objmgr_pdev *pdev, qdf_nbuf_t bcnbuf) 
						 sizeof(struct ie_header))) {

				return QDF_STATUS_E_INVAL;

			}

			ssid = (struct ie_ssid *)ie;

			if (util_scan_is_hidden_ssid(ssid)) {

			ssid.ssid_id = ie->ie_id;

			ssid.ssid_len = ie->ie_len;



			if (ssid.ssid_len)

				qdf_mem_copy(ssid.ssid,

					     ie + sizeof(struct ie_header),

					     ssid.ssid_len);



			if (util_scan_is_hidden_ssid(&ssid)) {

				set_ssid_flag  = true;

				ssid_ie_start_offset = bcn_ie_offset -

					sizeof(struct ie_header);
@@ -1451,7 +1458,7 @@ util_scan_add_hidden_ssid(struct wlan_objmgr_pdev *pdev, qdf_nbuf_t bcnbuf) 


	if (set_ssid_flag) {

		/* Hidden SSID if the Length is 0 */

		if (!ssid->ssid_len) {

		if (!ssid.ssid_len) {

			/* increase the taillength by length of ssid */

			if (qdf_nbuf_put_tail(bcnbuf,

					      conf_ssid->length) == NULL) {
@@ -1484,7 +1491,7 @@ util_scan_add_hidden_ssid(struct wlan_objmgr_pdev *pdev, qdf_nbuf_t bcnbuf) 
			qdf_mem_free(tmp);



			/* Hidden ssid with all 0's */

		} else if (ssid->ssid_len == conf_ssid->length) {

		} else if (ssid.ssid_len == conf_ssid->length) {

			/* Insert the  SSID string */

			qdf_mem_copy((pbeacon + ssid_ie_start_offset +

				      sizeof(struct ie_header)),