wlan: Fix possible OOB in unpack_tlv_core
Currently in UnpackTlvCore(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.
Fix is to validate the nBufRemaining size before calling
framesntohs().
Change-Id: Ia79a590efaa0d81f06eb66c2163da34f1932b18f
CRs-Fixed: 3048959
diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h
index 81d072c..7c5390b 100644
--- a/CORE/MAC/src/include/dot11f.h
+++ b/CORE/MAC/src/include/dot11f.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -32,7 +32,7 @@
* \brief Structures, function prototypes & definitions
* for working with 802.11 Frames
* This file was automatically generated by 'framesc'
- * Mon Jul 22 17:48:28 2019 from the following file(s):
+ * Tue Oct 5 09:07:17 2021 from the following file(s):
*
* dot11f.frms
*
diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c
index d22f1f8..b26ec17 100644
--- a/CORE/SYS/legacy/src/utils/src/dot11f.c
+++ b/CORE/SYS/legacy/src/utils/src/dot11f.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -30,7 +30,7 @@
* \brief Structures, functions & definitions for
* working with 802.11 Frames
* This file was automatically generated by 'framesc'
- * Mon Jul 22 17:48:28 2019 from the following file(s):
+ * Tue Oct 5 09:07:17 2021 from the following file(s):
*
* dot11f.frms
*
@@ -23368,7 +23368,6 @@
// & length,
if ( pTlv->sLen == 2)
{
- framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
if ( 2 > nBufRemaining )
{
FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
@@ -23377,6 +23376,7 @@
FRAMES_DBG_BREAK();
goto MandatoryCheck;
}
+ framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
pBufRemaining += 2;
nBufRemaining -= 2;
}else
@@ -23388,9 +23388,16 @@
}
else
{
+ if ( TLVs[0].sType > nBufRemaining )
+ {
+ FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
+ "fewer TLVs[0].sType byte(s) remaining.\n") );
+ status |= DOT11F_INCOMPLETE_TLV;
+ FRAMES_DBG_BREAK();
+ goto MandatoryCheck;
+ }
pBufRemaining += TLVs[0].sType;
nBufRemaining -= TLVs[0].sType;
- framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
if ( 2 > nBufRemaining )
{
FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
@@ -23399,6 +23406,7 @@
FRAMES_DBG_BREAK();
goto MandatoryCheck;
}
+ framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
pBufRemaining += 2;
nBufRemaining -= 2;
}