qcacld-3.0: Add max index check for dscp_to_up_map array

In SME layer, boundary check for dscp_to_up_map array is not present. The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions are used to index dscpmapping. The indices are not validated to be less than 0x40. The dscp_exceptions array is received from association response frame. A malicious AP can send values up to 0xff, causing OOB write of dscpmapping array. Hence, max index check is added to avoid OOB write of dscpmapping array. Bug: 153345312 Test: Regression test Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e CRs-Fixed: 2569764
GrapheneOS-Archive · Apr 8, 2020 · d85e8a2 · d85e8a2
1 parent d9b6c82
commit d85e8a2
Show file tree

Hide file tree

Showing 5 changed files with 9 additions and 20 deletions.
diff --git a/core/hdd/inc/wlan_hdd_main.h b/core/hdd/inc/wlan_hdd_main.h
@@ -1412,7 +1412,7 @@ struct hdd_adapter {
 	bool offloads_configured;
 
 	/* DSCP to UP QoS Mapping */
-	enum sme_qos_wmmuptype dscp_to_up_map[WLAN_HDD_MAX_DSCP + 1];
+	enum sme_qos_wmmuptype dscp_to_up_map[WLAN_MAX_DSCP + 1];
 
 #ifdef WLAN_FEATURE_LINK_LAYER_STATS
 	bool is_link_layer_stats_set;

diff --git a/core/hdd/inc/wlan_hdd_wmm.h b/core/hdd/inc/wlan_hdd_wmm.h
@@ -194,8 +194,6 @@ extern const uint8_t hdd_qdisc_ac_to_tl_ac[];
 extern const uint8_t hdd_wmm_up_to_ac_map[];
 extern const uint8_t hdd_linux_up_to_ac_map[];
 
-#define WLAN_HDD_MAX_DSCP 0x3f
-
 /**
  * hdd_wmmps_helper() - Function to set uapsd psb dynamically
  *

diff --git a/core/hdd/src/wlan_hdd_wmm.c b/core/hdd/src/wlan_hdd_wmm.c
@@ -54,8 +54,6 @@
 #include <cds_sched.h>
 #include "sme_api.h"
 
-#define WLAN_HDD_MAX_DSCP 0x3f
-
 #define HDD_WMM_UP_TO_AC_MAP_SIZE 8
 
 const uint8_t hdd_wmm_up_to_ac_map[] = {
@@ -1283,7 +1281,7 @@ QDF_STATUS hdd_wmm_init(struct hdd_adapter *adapter)
 	/* DSCP to User Priority Lookup Table
 	 * By default use the 3 Precedence bits of DSCP as the User Priority
 	 */
-	for (dscp = 0; dscp <= WLAN_HDD_MAX_DSCP; dscp++)
+	for (dscp = 0; dscp <= WLAN_MAX_DSCP; dscp++)
 		dscp_to_up_map[dscp] = dscp >> 3;
 
 	/* Special case for Expedited Forwarding (DSCP 46) */

diff --git a/core/sme/inc/sme_qos_api.h b/core/sme/inc/sme_qos_api.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014-2018 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014-2019 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -133,6 +133,8 @@ enum sme_qos_statustype {
 
 };
 
+#define WLAN_MAX_DSCP 0x3f
+
 /*
  * Enumeration of the various User priority (UP) types
  * From 802.1D/802.11e/WMM specifications (all refer to same table)

diff --git a/core/sme/src/common/sme_api.c b/core/sme/src/common/sme_api.c
@@ -10717,24 +10717,15 @@ QDF_STATUS sme_update_dsc_pto_up_mapping(tHalHandle hHal,
 		sme_release_global_lock(&pMac->sme);
 		return QDF_STATUS_E_FAILURE;
 	}
+
 	for (i = 0; i < SME_QOS_WMM_UP_MAX; i++) {
 		for (j = pSession->QosMapSet.dscp_range[i][0];
-			j <= pSession->QosMapSet.dscp_range[i][1];
-			j++) {
-			if ((pSession->QosMapSet.dscp_range[i][0] == 255)
-				&& (pSession->QosMapSet.dscp_range[i][1] ==
-							255)) {
-				QDF_TRACE(QDF_MODULE_ID_SME,
-					QDF_TRACE_LEVEL_DEBUG,
-					FL("User Priority %d isn't used"), i);
-				break;
-			} else {
+			j <= pSession->QosMapSet.dscp_range[i][1] &&
+			j <= WLAN_MAX_DSCP; j++)
 				dscpmapping[j] = i;
-			}
-		}
 	}
 	for (i = 0; i < pSession->QosMapSet.num_dscp_exceptions; i++)
-		if (pSession->QosMapSet.dscp_exceptions[i][0] != 255)
+		if (pSession->QosMapSet.dscp_exceptions[i][0] <= WLAN_MAX_DSCP)
 			dscpmapping[pSession->QosMapSet.dscp_exceptions[i][0]] =
 				pSession->QosMapSet.dscp_exceptions[i][1];