Skip to content

Commit

Permalink
drivers: qcacld-3.0: Merge tag 'LA.UM.8.3.c25-01900-sdm845.0' into ca…
Browse files Browse the repository at this point in the history 
…nting-4.9-q

* tag 'LA.UM.8.3.c25-01900-sdm845.0' of https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0:
  qcacld-3.0: Possible OOB read when parsing FT IE
  qcacld-3.0: Fix integer underflow in assoc response frame

Signed-off-by: Khusika Dhamar Gusti <mail@khusika.com>
  • Loading branch information
Khusika Dhamar Gusti committed May 6, 2021
2 parents 5010d0a + ff548fe commit 3f1dcbf
Show file tree
Hide file tree
Showing 2 changed files with 18 additions and 3 deletions.
5 changes: 5 additions & 0 deletions drivers/staging/qcacld-3.0/core/mac/src/pe/lim/lim_process_fils.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2238,6 +2238,11 @@ QDF_STATUS aead_decrypt_assoc_rsp(tpAniSirGlobal mac_ctx,
uint8_t *fils_ies;
struct pe_fils_session *fils_info = session->fils_info;

if (*n_frame < FIXED_PARAM_OFFSET_ASSOC_RSP) {
pe_debug("payload len is less than ASSOC RES offset");
return QDF_STATUS_E_FAILURE;
}

status = find_ie_data_after_fils_session_ie(mac_ctx, p_frame +
FIXED_PARAM_OFFSET_ASSOC_RSP,
((*n_frame) -
Expand Down
16 changes: 13 additions & 3 deletions drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/parser_api.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2979,7 +2979,7 @@ QDF_STATUS wlan_parse_ftie_sha384(uint8_t *frame, uint32_t frame_len,
struct sSirAssocRsp *assoc_rsp)
{
const uint8_t *ie, *ie_end, *pos;
uint8_t ie_len;
uint8_t ie_len, remaining_ie_len;
struct wlan_sha384_ftinfo_subelem *ft_subelem;

ie = wlan_get_ie_ptr_from_eid(DOT11F_EID_FTINFO, frame, frame_len);
Expand All @@ -2998,12 +2998,13 @@ QDF_STATUS wlan_parse_ftie_sha384(uint8_t *frame, uint32_t frame_len,
pe_err("Invalid FTIE len:%d", ie_len);
return QDF_STATUS_E_FAILURE;
}

remaining_ie_len = ie_len;
pos = ie + 2;
qdf_mem_copy(&assoc_rsp->sha384_ft_info, pos,
sizeof(struct wlan_sha384_ftinfo));
ie_end = ie + ie_len;
pos += sizeof(struct wlan_sha384_ftinfo);
remaining_ie_len -= sizeof(struct wlan_sha384_ftinfo);
ft_subelem = &assoc_rsp->sha384_ft_subelem;
qdf_mem_zero(ft_subelem, sizeof(*ft_subelem));

Expand All @@ -3012,11 +3013,20 @@ QDF_STATUS wlan_parse_ftie_sha384(uint8_t *frame, uint32_t frame_len,

id = *pos++;
len = *pos++;
if (len < 1) {
/* Subtract data length(len) + 1 bytes for
* Subelement ID + 1 bytes for length from
* remaining FTIE buffer len (ie_len).
* Subelement Parameter(s) field :
* Subelement ID Length Data
* Octets: 1 1 variable
*/
if (len < 1 || remaining_ie_len < (len + 2)) {
pe_err("Invalid FT subelem length");
return QDF_STATUS_E_FAILURE;
}

remaining_ie_len -= (len + 2);

switch (id) {
case FTIE_SUBELEM_R1KH_ID:
if (len != FTIE_R1KH_LEN) {
Expand Down

0 comments on commit 3f1dcbf

Please sign in to comment.