commit 4d3ff94d20c4cafb20c3cb8a662749ec4220e0bd
author Jyoti Kumari <jyotkuma@codeaurora.org> Fri Jan 29 12:59:07 2021 +0530
committer snandini <snandini@codeaurora.org> Wed Feb 17 03:11:18 2021 -0800
tree d7b33f0077a41753822231ac3503b9faa74d798c
parent 561bf0cf8fbb4f80c10f10e953657476e86de8d5

qcacld-3.0: Fix integer underflow in assoc response frame

In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.

Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.

Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024

core/mac/src/pe/lim/lim_process_fils.c

diff --git a/core/mac/src/pe/lim/lim_process_fils.c b/core/mac/src/pe/lim/lim_process_fils.c
index 1f2f270..c69ef13 100644
--- a/core/mac/src/pe/lim/lim_process_fils.c
+++ b/core/mac/src/pe/lim/lim_process_fils.c
@@ -2241,6 +2241,11 @@
 	uint8_t *fils_ies;
 	struct pe_fils_session *fils_info = session->fils_info;
 
+	if (*n_frame < FIXED_PARAM_OFFSET_ASSOC_RSP) {
+		pe_debug("payload len is less than ASSOC RES offset");
+		return QDF_STATUS_E_FAILURE;
+	}
+
 	status = find_ie_data_after_fils_session_ie(mac_ctx, p_frame +
 					      FIXED_PARAM_OFFSET_ASSOC_RSP,
 					      ((*n_frame) -