wlan: Fix potential OOB read when indicate mgmt frame
qcacld-2.0 to prima propagation.
In function __hdd_indicate_mgmt_frame, it doesn't check mgmt frame
length and access pointer to frame, which cause OOB read potentially.
So, check frame length before access pointer to frame.
Change-Id: Id2bd4276838f1eae49e8a24e8ab3361a69321a69
CRs-Fixed: 2525198
diff --git a/CORE/HDD/src/wlan_hdd_p2p.c b/CORE/HDD/src/wlan_hdd_p2p.c
index e3ab8b4..55e5e8b 100644
--- a/CORE/HDD/src/wlan_hdd_p2p.c
+++ b/CORE/HDD/src/wlan_hdd_p2p.c
@@ -2763,6 +2763,7 @@
/* Get pAdapter from Destination mac address of the frame */
if ((type == SIR_MAC_MGMT_FRAME) &&
(subType != SIR_MAC_MGMT_PROBE_REQ) &&
+ (nFrameLength > WLAN_HDD_80211_FRM_DA_OFFSET + VOS_MAC_ADDR_SIZE) &&
!vos_is_macaddr_broadcast(
(v_MACADDR_t *)&pbFrames[WLAN_HDD_80211_FRM_DA_OFFSET]))
{
@@ -2833,12 +2834,16 @@
cfgState = WLAN_HDD_GET_CFG_STATE_PTR( pAdapter );
if ((type == SIR_MAC_MGMT_FRAME) &&
- (subType == SIR_MAC_MGMT_ACTION))
+ (subType == SIR_MAC_MGMT_ACTION) &&
+ (nFrameLength > WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET + 1))
{
if(pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET] == WLAN_HDD_PUBLIC_ACTION_FRAME)
{
// public action frame
- if((pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+1] == SIR_MAC_ACTION_VENDOR_SPECIFIC) &&
+ if((WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET + SIR_MAC_P2P_OUI_SIZE + 2 <
+ nFrameLength) &&
+ (pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+1] ==
+ SIR_MAC_ACTION_VENDOR_SPECIFIC) &&
vos_mem_compare(&pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+2], SIR_MAC_P2P_OUI, SIR_MAC_P2P_OUI_SIZE))
// P2P action frames
{