Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0ac3da58 authored by Deeksha Gupta's avatar Deeksha Gupta Committed by Gerrit - the friendly Code Review server
Browse files

qcacld-3.0: Fix possible OOB in unpack_tlv_core 

Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.

Fix is to validate the nBufRemaining size before calling
framesntohs().

Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
CRs-Fixed: 3042282
parent 03576d60

core/mac/src/include/dot11f.h

+2 −2
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -26,7 +26,7 @@ 
 *

 *

 * This file was automatically generated by 'framesc'

 * Mon Mar 25 14:48:07 2019 from the following file(s):

 * Wed Sep 29 13:23:21 2021 from the following file(s):

 *

 * dot11f.frms

 *

core/mac/src/sys/legacy/src/utils/src/dot11f.c

+13 −7
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -24,7 +24,7 @@ 
 *

 *

 * This file was automatically generated by 'framesc'

 * Mon Mar 25 14:48:07 2019 from the following file(s):

 * Wed Sep 29 13:23:21 2021 from the following file(s):

 *

 * dot11f.frms

 *
@@ -13659,7 +13659,6 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal pCtx, 
			}

			/* & length, */

			if (pTlv->sLen == 2) {

				framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);

				if (2 > nBufRemaining) {

					FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "

							"fewer two byte(s) remaining.\n"));
@@ -13667,6 +13666,7 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal pCtx, 
					FRAMES_DBG_BREAK();

					goto MandatoryCheck;

				}

				framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);

				pBufRemaining += 2;

				nBufRemaining -= 2;

			} else {
@@ -13675,9 +13675,14 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal pCtx, 
				nBufRemaining -= 1;

			}

		} else {

			if (TLVs[0].sType > nBufRemaining) {

				FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "

					     "fewer LVs[0].sType byte(s) remaining.\n"));

				status |= DOT11F_INCOMPLETE_TLV;

				goto MandatoryCheck;

			}

			pBufRemaining += TLVs[0].sType;

			nBufRemaining -= TLVs[0].sType;

			framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));

			if (2 > nBufRemaining) {

				FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "

					     "fewer two byte(s) remaining.\n"));
@@ -13685,6 +13690,7 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal pCtx, 
				FRAMES_DBG_BREAK();

				goto MandatoryCheck;

			}

			framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));

			pBufRemaining += 2;

			nBufRemaining -= 2;

		}