Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / prima / f4105f74832ea1ce944e3700c4fdaa4532a3a5b9^! / .
commitf4105f74832ea1ce944e3700c4fdaa4532a3a5b9[log] [tgz]
authorSourav Mohapatra <mohapatr@codeaurora.org>Thu Feb 28 14:58:17 2019 +0530
committerSourav Mohapatra <mohapatr@codeaurora.org>Wed Mar 13 10:03:50 2019 +0530
tree7a6889f00279e66e21c4226bb3bea7720a2411c1
parentaf2cc67cc278e34d53cf0c7e50e21b3bcbff30ad [diff]
qcacld-3.0: Avoid buffer overflow when process SA query action frame

No frame length check when extract 11w transaction id from SA
query request and response action frame, if frame length is
shorter than expected, buffer overflow will happen

Change-Id: Iddefa809023da244564cfd227ccfe8c2de5717c0
CRs-Fixed: 2407089

diff --git a/CORE/MAC/src/pe/lim/limProcessActionFrame.c b/CORE/MAC/src/pe/lim/limProcessActionFrame.c
index bf364ee..db24aac 100644
--- a/CORE/MAC/src/pe/lim/limProcessActionFrame.c
+++ b/CORE/MAC/src/pe/lim/limProcessActionFrame.c

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2017, 2019 The Linux Foundation. All rights reserved.
  *
  * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
  *
@@ -71,7 +71,7 @@
 #ifdef WLAN_FEATURE_LFR_MBB
 #include "lim_mbb.h"
 #endif
-
+#include "dot11f.h"
 
 #define BA_DEFAULT_TX_BUFFER_SIZE 64
 
@@ -2185,6 +2185,7 @@
     tpSirMacMgmtHdr     pHdr;
     tANI_U8             *pBody;
     tANI_U8             transId[2];
+    uint32_t            frame_len;
 
     /* Prima  --- Below Macro not available in prima 
        pHdr = SIR_MAC_BD_TO_MPDUHEADER(pBd);
@@ -2192,7 +2193,13 @@
 
     pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo);
     pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo);
+    frame_len = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
 
+    if (frame_len < sizeof(struct sDot11fSaQueryReq)) {
+         VOS_TRACE(VOS_MODULE_ID_PE, VOS_TRACE_LEVEL_ERROR,
+                   ("Invalid frame length"));
+         return;
+    }
     /* If this is an unprotected SA Query Request, then ignore it. */
     if (pHdr->fc.wep == 0)
         return;
@@ -2241,12 +2248,19 @@
     tANI_U16            aid;
     tANI_U16            transId;
     tANI_U8             retryNum;
+    uint32_t            frame_len;
 
     pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo);
     pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo);
+    frame_len = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
     VOS_TRACE(VOS_MODULE_ID_PE, VOS_TRACE_LEVEL_INFO,
                          ("SA Query Response received...")) ;
 
+    if (frame_len < sizeof(struct sDot11fSaQueryRsp)) {
+        VOS_TRACE(VOS_MODULE_ID_PE, VOS_TRACE_LEVEL_ERROR,
+                  ("Invalid frame length"));
+        return;
+    }
     /* When a station, supplicant handles SA Query Response.
        Forward to SME to HDD to wpa_supplicant. */
     if (eLIM_STA_ROLE == psessionEntry->limSystemRole)