Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / prima / 17937822db29ed8381a23743a8e2da65a90d3a7f^! / .
commit17937822db29ed8381a23743a8e2da65a90d3a7f[log] [tgz]
authorPragaspathi Thilagaraj <tpragasp@codeaurora.org>Wed Feb 12 16:07:38 2020 +0530
committerPragaspathi Thilagaraj <tpragasp@codeaurora.org>Fri Feb 21 14:15:56 2020 +0530
tree71d14f9a67c36e16aca9b69b5ae73d830eaa1430
parent186f0ba1608c52b52db31a159dbc8e29eb36f98c [diff]
wlan: Fix integer overflow in rrm_fill_beacon_ies()

In function rrm_fill_beacon_ies, the total IE length is
calculated as sum of length field of the IE and 2 (element id 1
byte and IE length field 1 byte). The total IE length is defined
of type uint16_t and will overflow if the *(pBcnIes + 1)=0xfe.
Validate the len against total IE length to avoid overflow.

Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2617004

diff --git a/CORE/MAC/src/pe/rrm/rrmApi.c b/CORE/MAC/src/pe/rrm/rrmApi.c
index a397069..d43dc9c 100644
--- a/CORE/MAC/src/pe/rrm/rrmApi.c
+++ b/CORE/MAC/src/pe/rrm/rrmApi.c

@@ -678,7 +678,8 @@
                   tANI_U8 *eids, tANI_U8 numEids,
                   tpSirBssDescription pBssDesc )
 {
-   tANI_U8 len, *pBcnIes, BcnNumIes, count = 0, i;
+   tANI_U8 len, *pBcnIes, count = 0, i;
+   tANI_U16 BcnNumIes = 0;
 
    if( (pIes == NULL) || (pNumIes == NULL) || (pBssDesc == NULL) )
    {
@@ -705,10 +706,17 @@
 
    while ( BcnNumIes > 0 )
    {
-      len = *(pBcnIes + 1) + 2; //element id + length.
+      len = *(pBcnIes + 1); //element id + length.
+      len += 2;
       limLog( pMac, LOG3, "EID = %d, len = %d total = %d",
              *pBcnIes, *(pBcnIes+1), len );
 
+      if (BcnNumIes < len || len <= 2) {
+          limLog(pMac, LOGE, "RRM: Invalid IE len:%d exp_len:%d",
+                 len, BcnNumIes);
+          break;
+      }
+
       i = 0;
       do
       {