Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 4f65c1ab authored by Chaoli Zhou's avatar Chaoli Zhou Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Fix OOB issue for bwnss oui 

If is_bwnss_oui return true in util_scan_parse_vendor_ie,
and it will run into below logical:
scan_params->ie_list.bwnss_map = (((uint8_t *)ie) + 8)
But in fact if ie->ie_len < 6, it will casue read out
of boundary issue. So add the length chekcing before
reading it

Change-Id: I0cdf723154eb808f8062efd897f9d67d54d4573b
CRs-Fixed: 2838849
parent dcbad0e0

umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h

+2 −0
Original line number Diff line number Diff line
@@ -1618,6 +1618,8 @@ is_bwnss_oui(uint8_t *frm) 
		((ATH_OUI_BW_NSS_MAP_TYPE << 24) | ATH_OUI));

}



#define WLAN_BWNSS_MAP_OFFSET 6



/**

 * is_he_cap_oui() - If vendor IE is HE CAP OUI

 * @frm: vendor IE pointer

umac/scan/dispatcher/src/wlan_scan_utils_api.c

+2 −1
Original line number Diff line number Diff line
@@ -843,6 +843,7 @@ util_scan_parse_vendor_ie(struct scan_cache_entry *scan_params, 
		 * Bandwidth-NSS map has sub-type & version.

		 * hence copy data just after version byte

		 */

		if (ie->ie_len > WLAN_BWNSS_MAP_OFFSET)

			scan_params->ie_list.bwnss_map = (((uint8_t *)ie) + 8);

	} else if (is_mbo_oce_oui((uint8_t *)ie)) {

		scan_params->ie_list.mbo_oce = (uint8_t *)ie;