Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 28f22260 authored by Gururaj Pandurangi's avatar Gururaj Pandurangi Committed by Vijay Kumar Panwar(Consultant)
Browse files

qcacld-3.0: Avoid OOB read in sch_get_csa_ecsa_count_offset 

Avoid OOB read in sch_get_csa_ecsa_count_offset API by
adding check for ie_len before subtracting element ID len
from it.

Change-Id: Id86e69b2c5abc37a4f33125dc5fd0bd1d92f64a7
CRs-Fixed: 3049251
parent fd554918

core/mac/src/pe/sch/sch_beacon_gen.c

+5 −2
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved.

 * Copyright (c) 2012-2018, 2021 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -156,7 +156,7 @@ sch_append_addn_ie(tpAniSirGlobal mac_ctx, tpPESession session, 


/**

 * sch_get_csa_ecsa_count_offset() - get the offset of Switch count field

 * @ie: pointer to the beggining of IEs in the beacon frame buffer

 * @ie: pointer to the beginning of IEs in the beacon frame buffer

 * @ie_len: length of the IEs in the buffer

 * @csa_count_offset: pointer to the csa_count_offset variable in the caller

 * @ecsa_count_offset: pointer to the ecsa_count_offset variable in the caller
@@ -195,6 +195,9 @@ static void sch_get_csa_ecsa_count_offset(uint8_t *ie, uint32_t ie_len, 
			*ecsa_count_offset = offset +

					SCH_ECSA_SWITCH_COUNT_OFFSET;



		if (ie_len < elem_len)

			return;



		ie_len -= elem_len;

		offset += elem_len;

		ptr += (elem_len + 2);