Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8ef6e145 authored Dec 18, 2020 by Jyoti Kumari Committed by snandini Jan 11, 2021

qcacmn: Fix out of bound read issue in util_scan_parse_rnr_ie()

During ie parse from beacon/probe response, the variable
tbtt_count and tbtt_length in util_scan_parse_rnr_ie() getting
read from ie and the value is not checked before using it which
may cause out of bound read issue

Validate tbtt_count and tbtt_length before using it

Change-Id: I51cfb2356fb16feda8a70c4b76c7f76c90b1393b
CRs-Fixed: 2836205

parent bfedabab

umac/scan/dispatcher/inc/wlan_scan_public_structs.h

+1 −0

Original line number	Diff line number	Diff line
		@@ -85,6 +85,7 @@ typedef uint32_t wlan_scan_id;
		WLAN_GET_BITS(value32, (8 * (bw_index)), 8)
		#define WLAN_SET_SCORE_PERCENTAGE(value32, score_pcnt, bw_index) \
		WLAN_SET_BITS(value32, (8 * (bw_index)), 8, score_pcnt)
		#define TBTT_INFO_COUNT 16

		/* forward declaration */
		struct wlan_objmgr_vdev;

umac/scan/dispatcher/src/wlan_scan_utils_api.c

+6 −1

Original line number	Diff line number	Diff line
		@@ -713,7 +713,12 @@ util_scan_parse_rnr_ie(struct scan_cache_entry *scan_entry,
		scm_debug("tbtt_count %d, tbtt_length %d, fieldtype %d",
		tbtt_count, tbtt_length, fieldtype);
		data += sizeof(struct neighbor_ap_info_field);
		for (i = 0; i < (tbtt_count + 1) ; i++) {

		if (tbtt_count > TBTT_INFO_COUNT)
		break;

		for (i = 0; i < (tbtt_count + 1) &&
		data < ((uint8_t *)ie + rnr_ie_len + 2); i++) {
		if (i < MAX_RNR_BSS)
		util_scan_update_rnr(
		&scan_entry->rnr.bss_info[i],