commit 4689388205d91f16eb106ba8731b37610bb0218c
author Deeksha Gupta <deegupta@codeaurora.org> Tue Oct 05 09:17:30 2021 +0530
committer Gerrit - the friendly Code Review server <code-review@localhost> Wed Dec 01 03:29:21 2021 -0800
tree ff667cf173131ae6c50b262285bbe3d5d0abdd51
parent 1805c11c64d9f0060c015246cf997cf210c2f113

wlan: Fix possible OOB in unpack_tlv_core

Currently in UnpackTlvCore(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.

Fix is to validate the nBufRemaining size before calling
framesntohs().

Change-Id: Ia79a590efaa0d81f06eb66c2163da34f1932b18f
CRs-Fixed: 3048959

CORE/MAC/src/include/dot11f.h

diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h
index 81d072c..7c5390b 100644
--- a/CORE/MAC/src/include/dot11f.h
+++ b/CORE/MAC/src/include/dot11f.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -32,7 +32,7 @@
   * \brief Structures, function prototypes & definitions
   * for working with 802.11 Frames
   * This file was automatically generated by 'framesc'
-  * Mon Jul 22 17:48:28 2019 from the following file(s):
+  * Tue Oct  5 09:07:17 2021 from the following file(s):
   *
   * dot11f.frms
   *

CORE/SYS/legacy/src/utils/src/dot11f.c

diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c
index d22f1f8..b26ec17 100644
--- a/CORE/SYS/legacy/src/utils/src/dot11f.c
+++ b/CORE/SYS/legacy/src/utils/src/dot11f.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -30,7 +30,7 @@
   * \brief Structures, functions & definitions for
   * working with 802.11 Frames
   * This file was automatically generated by 'framesc'
-  * Mon Jul 22 17:48:28 2019 from the following file(s):
+  * Tue Oct  5 09:07:17 2021 from the following file(s):
   *
   * dot11f.frms
   *
@@ -23368,7 +23368,6 @@
            // & length,
            if ( pTlv->sLen == 2)
            {
-              framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
               if ( 2 > nBufRemaining )
               {
                   FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
@@ -23377,6 +23376,7 @@
                   FRAMES_DBG_BREAK();
                   goto MandatoryCheck;
               }
+              framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
               pBufRemaining += 2;
               nBufRemaining -= 2;
            }else
@@ -23388,9 +23388,16 @@
         }
         else
         {
+           if ( TLVs[0].sType > nBufRemaining )
+           {
+               FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
+                                               "fewer TLVs[0].sType byte(s) remaining.\n") );
+               status |= DOT11F_INCOMPLETE_TLV;
+               FRAMES_DBG_BREAK();
+               goto MandatoryCheck;
+           }
            pBufRemaining += TLVs[0].sType;
            nBufRemaining -= TLVs[0].sType;
-           framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
            if ( 2 > nBufRemaining )
            {
               FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
@@ -23399,6 +23406,7 @@
               FRAMES_DBG_BREAK();
               goto MandatoryCheck;
            }
+           framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
            pBufRemaining += 2;
            nBufRemaining -= 2;
         }