Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d7687fb2 authored by Vinod Kumar Myadam's avatar Vinod Kumar Myadam
Browse files

qcacmn: Fix OOB in util_gen_new_ie 

For example, If tmp_new[1] = 3, subie_len=160,
tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy will be 159.
In this scenario, while condition gets true (159 <= 160)
In if condition (159 >= 160), we are not breaking the loop in if.
tmp_new will get incremented, tmp_new will point at 159,
tmp_new[1] will point at 160, tmp_new[2] point at 161.
So, we are accessing one byte out-of-bound value.

To fix accessing out-of-bound value subtract one from the subie_len
in while and if condition to avoid this scenario.

Change-Id: I624585323963b6d79acf9ff0f96ec17e0b415c2d
CRs-Fixed: 3358833
parent 074d2855

umac/scan/dispatcher/src/wlan_scan_utils_api.c

+3 −3
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2017-2021 The Linux Foundation. All rights reserved.

 * Copyright (c) 2021-2022 Qualcomm Innovation Center, Inc. All rights reserved.

 * Copyright (c) 2021-2023 Qualcomm Innovation Center, Inc. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -2135,7 +2135,7 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen, 
	 */

	tmp_new = sub_copy;

	while (((tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy) <=

	       subie_len) {

	       (subie_len - 1)) {

		if (!(tmp_new[0] == WLAN_ELEMID_NONTX_BSSID_CAP ||

		      tmp_new[0] == WLAN_ELEMID_SSID ||

		      tmp_new[0] == WLAN_ELEMID_MULTI_BSSID_IDX ||
@@ -2149,7 +2149,7 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen, 
			}

		}

		if (((tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy) >=

		    subie_len)

		    (subie_len - 1))

			break;

		tmp_new += tmp_new[1] + MIN_IE_LEN;

	}