wlan: Fix OOB read in lim_process_deauth_frame
In the API lim_process_deauth_frame, the reason-code is
fetched from the payload, and it may happen that the
payload received is empty, and the MPDU just contains the
header, so the driver may access the memory not allocated
to the frame, thus resulting in a OOB read.
Fix is to have a min length check of 16 bits for the
reason code before accessing it.
Issue: SEC-1892
Change-Id: I471198582bd7d40dee45d88b76ce6231456dc5ce
CRs-Fixed: 2249768
Signed-off-by: Gururaj Patil <gururaj.patil3@harman.com>
diff --git a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
index a7d4df8..3ce107b4 100644
--- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
+++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
@@ -68,15 +68,22 @@
tpDphHashNode pStaDs;
tpPESession pRoamSessionEntry=NULL;
tANI_U8 roamSessionId;
-#ifdef WLAN_FEATURE_11W
+
tANI_U32 frameLen;
-#endif
+
pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo);
pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo);
+ frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
+ if (frameLen < sizeof(reasonCode)) {
+ PELOGE(limLog(pMac, LOGE,
+ FL("Invalid framelen received %d"), frameLen);)
+ return;
+ }
+
if ((eLIM_STA_ROLE == psessionEntry->limSystemRole) && (eLIM_SME_WT_DEAUTH_STATE == psessionEntry->limSmeState))
{
@@ -122,7 +129,6 @@
PELOGE(limLog(pMac, LOGE, FL("received an unprotected deauth from AP"));)
// If the frame received is unprotected, forward it to the supplicant to initiate
// an SA query
- frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
//send the unprotected frame indication to SME
limSendSmeUnprotectedMgmtFrameInd( pMac, pHdr->fc.subType,