Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cdbc3bd0 authored by Jyoti Kumari's avatar Jyoti Kumari Committed by Gerrit - the friendly Code Review server
Browse files

qcacld-3.0: Fix integer underflow in assoc response frame 

In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.

Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.

Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
parent 0c8a4fc0

core/mac/src/pe/lim/lim_process_fils.c

+6 −1
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2017-2018 The Linux Foundation. All rights reserved.

 * Copyright (c) 2017-2021 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -1819,6 +1819,11 @@ QDF_STATUS aead_decrypt_assoc_rsp(tpAniSirGlobal mac_ctx, 
	uint8_t *fils_ies;

	struct pe_fils_session *fils_info = (session->fils_info);



	if (*n_frame < FIXED_PARAM_OFFSET_ASSOC_RSP) {

		pe_debug("payload len is less than ASSOC RES offset");

		return QDF_STATUS_E_FAILURE;

	}



	status = find_ie_data_after_fils_session_ie(mac_ctx, p_frame +

					      FIXED_PARAM_OFFSET_ASSOC_RSP,

					      ((*n_frame) -