wlan: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie In the function lim_chk_n_process_wpa_rsn_ie, if wpa IE is present, then dot11f_unpack_ie_wpa is called to copy the wpa IE to destination buffer. assoc_req->wpa.length is passed as the length to copy the IE. As this length includes 4 bytes of the OUI fields also, this could result in OOB read. Change the length passed to the dot11f_unpack_ie_wpa as (assoc_req->wpa.length - 4), so that the additional 4 bytes of the OUI fields are excluded. Change-Id: If972b3a19d239bb955c7b4d4c7d94e25aa878f21 CRs-Fixed: 2423554

commit: decc73bfa8239a2014976665ba99de4a6ccb7435 [log] [tgz]
author: Pragaspathi Thilagaraj <tpragasp@codeaurora.org> Tue Mar 26 19:48:41 2019 +0530
committer: Pragaspathi Thilagaraj <tpragasp@codeaurora.org> Tue Mar 26 19:48:41 2019 +0530
tree: 524aa0dd3e0f505b88bbd5e1f9c3a35844316785
parent: 1cf97dd953a396dbf60351ae94705d34616020de [diff]
diff --git a/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c b/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
index 427300d..06a4c0f 100644
--- a/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
+++ b/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c

@@ -783,7 +783,7 @@
                 {
                     if (dot11fUnpackIeWPA(pMac,
                                         &pAssocReq->wpa.info[4], //OUI is not taken care
-                                        pAssocReq->wpa.length, 
+                                        (pAssocReq->wpa.length - 4),
                                         &Dot11fIEWPA) != DOT11F_PARSE_SUCCESS)
                     {
                         limLog(pMac, LOGE, FL("Invalid WPA IE"));
commit	decc73bfa8239a2014976665ba99de4a6ccb7435	[log] [tgz]
author	Pragaspathi Thilagaraj <tpragasp@codeaurora.org>	Tue Mar 26 19:48:41 2019 +0530
committer	Pragaspathi Thilagaraj <tpragasp@codeaurora.org>	Tue Mar 26 19:48:41 2019 +0530
tree	524aa0dd3e0f505b88bbd5e1f9c3a35844316785
parent	1cf97dd953a396dbf60351ae94705d34616020de [diff]