prima: Fix OOB read in limProcessDeauthFrame
Propagation from cld3.0 to cld2.0
Further adapted from cld2.0 to prima.
In the API limProcessDeauthFrame, the reason-code is
fetched from the payload, and it may happen that the
payload received is empty, and the MPDU just contains the
header, so the driver may access the memory not allocated
to the frame, thus resulting in a OOB read.
Fix is to have a min length check of 16 bits for the
reason code before accessing it.
Issue: SEC-1892
Bug: 78528839
Test: Test with provided PoC (before and after the fix)
Change-Id: I7e7a435ba049356c13fb10240f4abb9bf6219af4
CRs-Fixed: 2338742
Signed-off-by: Sunil Ravi <sunilravi@google.com>
(adapted from commit 1bfa0f6cb01a34c56c572ff5b45f48bfe7adaade)
diff --git a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
index a7d4df8..f4d6732 100644
--- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
+++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
@@ -68,15 +68,19 @@
tpDphHashNode pStaDs;
tpPESession pRoamSessionEntry=NULL;
tANI_U8 roamSessionId;
-#ifdef WLAN_FEATURE_11W
tANI_U32 frameLen;
-#endif
pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo);
pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo);
+ frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
+ if (frameLen < sizeof(reasonCode)) {
+ PELOGE(limLog(pMac, LOGE,
+ FL("Invalid framelen received %d"), frameLen);)
+ return;
+ }
if ((eLIM_STA_ROLE == psessionEntry->limSystemRole) && (eLIM_SME_WT_DEAUTH_STATE == psessionEntry->limSmeState))
{
@@ -122,8 +126,6 @@
PELOGE(limLog(pMac, LOGE, FL("received an unprotected deauth from AP"));)
// If the frame received is unprotected, forward it to the supplicant to initiate
// an SA query
- frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
-
//send the unprotected frame indication to SME
limSendSmeUnprotectedMgmtFrameInd( pMac, pHdr->fc.subType,
(tANI_U8*)pHdr, (frameLen + sizeof(tSirMacMgmtHdr)),