wlan: Fix out-of-bounds access in limProcessActionFrameNoSession
Currently in the function limProcessActionFrameNoSession, mem_cmp
is done on the received frame pointer without validating the frame_len
which could lead to out-of-bounds memory access if the frame_len is
not matching the size of action_hdr.
Add check to validate the frame_len with action_hdr size before doing
mem_cmp for the p2p oui.
Change-Id: I39329d1a9ef45614d3c617db11a7a7f5ec2aaaec
CRs-Fixed: 2110756
diff --git a/CORE/MAC/src/pe/lim/limProcessActionFrame.c b/CORE/MAC/src/pe/lim/limProcessActionFrame.c
index 387e32e..5133ead 100644
--- a/CORE/MAC/src/pe/lim/limProcessActionFrame.c
+++ b/CORE/MAC/src/pe/lim/limProcessActionFrame.c
@@ -2614,6 +2614,16 @@
{
tpSirMacVendorSpecificPublicActionFrameHdr pPubAction = (tpSirMacVendorSpecificPublicActionFrameHdr) pActionHdr;
tANI_U8 P2POui[] = { 0x50, 0x6F, 0x9A, 0x09 };
+ tANI_U32 frameLen;
+
+ frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
+
+ if (frameLen < sizeof(pActionHdr)) {
+ limLog(pMac, LOG1,
+ FL("Received action frame of invalid len %d"),
+ frameLen);
+ break;
+ }
//Check if it is a P2P public action frame.
if (vos_mem_compare(pPubAction->Oui, P2POui, 4))
@@ -2752,6 +2762,16 @@
case SIR_MAC_ACTION_VENDOR_SPECIFIC:
{
tANI_U8 P2POui[] = { 0x50, 0x6F, 0x9A, 0x09 };
+ tANI_U32 frameLen;
+
+ frameLen = WDA_GET_RX_PAYLOAD_LEN(pBd);
+
+ if (frameLen < sizeof(pActionHdr)) {
+ limLog(pMac, LOG1,
+ FL("Received action frame of invalid len %d"),
+ frameLen);
+ break;
+ }
//Check if it is a P2P public action frame.
if (vos_mem_compare(pActionHdr->Oui, P2POui, 4))