wlan: Add max index check for dscp_to_up_map array
qcacld-3.0 to prima propagation.
In SME layer, boundary check for dscp_to_up_map array is not present.
The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions
are used to index dscpmapping. The indices are not validated to be less
than 0x40. The dscp_exceptions array is received from association
response frame. A malicious AP can send values up to 0xff, causing OOB
write of dscpmapping array.
Hence, max index check is added to avoid OOB write of dscpmapping array.
Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e
CRs-Fixed: 2585141
diff --git a/CORE/HDD/inc/wlan_hdd_main.h b/CORE/HDD/inc/wlan_hdd_main.h
index 6ee9a85..5738d63 100644
--- a/CORE/HDD/inc/wlan_hdd_main.h
+++ b/CORE/HDD/inc/wlan_hdd_main.h
@@ -1369,7 +1369,7 @@
v_BOOL_t isLinkLayerStatsSet;
#endif
/* DSCP to UP QoS Mapping */
- sme_QosWmmUpType hddWmmDscpToUpMap[WLAN_HDD_MAX_DSCP+1];
+ sme_QosWmmUpType hddWmmDscpToUpMap[WLAN_MAX_DSCP+1];
/* Lock for active sessions while processing deauth/Disassoc */
spinlock_t lock_for_active_session;
tSirFwStatsResult fwStatsRsp;
diff --git a/CORE/HDD/src/wlan_hdd_wmm.c b/CORE/HDD/src/wlan_hdd_wmm.c
index 4652958..9c2ad34 100644
--- a/CORE/HDD/src/wlan_hdd_wmm.c
+++ b/CORE/HDD/src/wlan_hdd_wmm.c
@@ -84,9 +84,6 @@
#define WMM_TRACE_LEVEL_INFO_LOW VOS_TRACE_LEVEL_INFO_LOW
#endif
-
-#define WLAN_HDD_MAX_DSCP 0x3f
-
// DHCP Port number
#define DHCP_SOURCE_PORT 0x4400
#define DHCP_DESTINATION_PORT 0x4300
@@ -1712,7 +1709,7 @@
"%s: Entered", __func__);
// DSCP to User Priority Lookup Table
- for (dscp = 0; dscp <= WLAN_HDD_MAX_DSCP; dscp++)
+ for (dscp = 0; dscp <= WLAN_MAX_DSCP; dscp++)
{
hddWmmDscpToUpMap[dscp] = SME_QOS_WMM_UP_BE;
}
diff --git a/CORE/SME/inc/sme_QosApi.h b/CORE/SME/inc/sme_QosApi.h
index 237a64e..93adff2 100644
--- a/CORE/SME/inc/sme_QosApi.h
+++ b/CORE/SME/inc/sme_QosApi.h
@@ -57,6 +57,7 @@
#define SME_QOS_UAPSD_VI 0x02
#define SME_QOS_UAPSD_BE 0x08
#define SME_QOS_UAPSD_BK 0x04
+#define WLAN_MAX_DSCP 0x3f
/*--------------------------------------------------------------------------
Type declarations
diff --git a/CORE/SME/src/sme_common/sme_Api.c b/CORE/SME/src/sme_common/sme_Api.c
index a62bcec..5a63210 100644
--- a/CORE/SME/src/sme_common/sme_Api.c
+++ b/CORE/SME/src/sme_common/sme_Api.c
@@ -13244,25 +13244,13 @@
for (i = 0; i < SME_QOS_WMM_UP_MAX; i++)
{
for (j = pSession->QosMapSet.dscp_range[i][0];
- j <= pSession->QosMapSet.dscp_range[i][1]; j++)
- {
- if ((pSession->QosMapSet.dscp_range[i][0] == 255) &&
- (pSession->QosMapSet.dscp_range[i][1] == 255))
- {
- VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR,
- "%s: User Priority %d is not used in mapping",
- __func__, i);
- break;
- }
- else
- {
+ j <= pSession->QosMapSet.dscp_range[i][1] &&
+ j <= WLAN_MAX_DSCP; j++)
dscpmapping[j]= i;
- }
- }
}
for (i = 0; i< pSession->QosMapSet.num_dscp_exceptions; i++)
{
- if (pSession->QosMapSet.dscp_exceptions[i][0] != 255)
+ if (pSession->QosMapSet.dscp_exceptions[i][0] <= WLAN_MAX_DSCP)
{
dscpmapping[pSession->QosMapSet.dscp_exceptions[i][0] ] =
pSession->QosMapSet.dscp_exceptions[i][1];