wlan: Fix possible OOB access in lim_process_disassoc_frame
Reason code is extracted from frame data without validating
the frame len which could result in out of bound access.
Fix is to validate frame len before extracting reason
code from frame data.
Change-Id: I00795a806abcae903dd0daa019aeab990aedc3a7
CRs-Fixed: 2504023
diff --git a/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c b/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c
index 88ca7f8..a5d3465 100644
--- a/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c
+++ b/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2017, 2019 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -80,12 +80,16 @@
tpSirMacMgmtHdr pHdr;
tpDphHashNode pStaDs;
tLimMlmDisassocInd mlmDisassocInd;
-#ifdef WLAN_FEATURE_11W
- tANI_U32 frameLen;
-#endif
+ tANI_U32 frame_len;
pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo);
pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo);
+ frame_len = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
+
+ if (frame_len < 2) {
+ limLog(pMac, LOGE, FL("frame len less than 2"));
+ return;
+ }
if (limIsGroupAddr(pHdr->sa))
{
@@ -124,10 +128,9 @@
PELOGE(limLog(pMac, LOG1, FL("received an unprotected disassoc from AP"));)
// If the frame received is unprotected, forward it to the supplicant to initiate
// an SA query
- frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
//send the unprotected frame indication to SME
limSendSmeUnprotectedMgmtFrameInd( pMac, pHdr->fc.subType,
- (tANI_U8*)pHdr, (frameLen + sizeof(tSirMacMgmtHdr)),
+ (tANI_U8*)pHdr, (frame_len + sizeof(tSirMacMgmtHdr)),
psessionEntry->smeSessionId, psessionEntry);
return;
}