Piteball
/
android_kernel_google_msm
mirror of https://github.com/followmsi/android_kernel_google_msm.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

wlan: Fix OOB read in sme_RrmProcessBeaconReportReqInd 

Propagate from cld-3.0 to prima.

When beacon report request action frame is received,
rrmProcessBeaconReportReq() is called and num_channels value
is calculated from the action frame directly from user. This
value is assigned to pSmeBcnReportReq->channelList.numChannels
and this num channels value along with the channel list is
posted to sme for further processing. The sme function
sme_RrmProcessBeaconReportReqInd() processes this sme
message eWNI_SME_BEACON_REPORT_REQ_IND. In this function,
the channels in channel list are looped through the received
value pBeaconReq->channelList.numChannels and is copied to the
destination pSmeRrmContext->channelList array from the
pBeaconReq->channelList.channelNumber[] array.
The maximum possible number of channels in channel list
BeaconReq->channelList.channelNumber[] allocated statically
in the definition of tSirChannelList is
SIR_ESE_MAX_MEAS_IE_REQS (8).
So when the pBeaconReq->channelList.numChannels, possible OOB
read occurs.

Validate the value of pBeaconReq->channelList.numChannels
received from the action frame against the maximum supported
number of channels in channel list SIR_ESE_MAX_MEAS_IE_REQS (8).
Place this validation inside the function
sme_RrmProcessBeaconReportReqInd() instead of validating it
at rrmProcessBeaconReportReq() so that it defends from other
caller sme_SetEseBeaconRequest() which is from user space
command through IOCTL.

Change-Id: I2074b04081328ceab7eeb29c33631a635e9d93c3
CRs-Fixed: 2462152
This commit is contained in:
Abhinav Kumar 2019-05-30 11:18:39 +05:30 committed by Nolen Johnson
parent 653a991df0
commit c417602f79
1 changed files with 6 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
drivers/staging/prima/CORE/SME/src/rrm/sme_rrm.c
View File

@ -554,6 +554,12 @@ void sme_RrmProcessBeaconReportReqInd(tpAniSirGlobal pMac, void *pMsgBuf)
#if defined WLAN_VOWIFI_DEBUG
smsLog( pMac, LOGE, "Received Beacon report request ind Channel = %d", pBeaconReq->channelInfo.channelNum );
#endif
if (pBeaconReq->channelList.numChannels > SIR_ESE_MAX_MEAS_IE_REQS) {
smsLog( pMac, LOGP, "Beacon report request numChannels: %u exceeds "
"max num channels", pBeaconReq->channelList.numChannels);
return;
}
//section 11.10.8.1 (IEEE Std 802.11k-2008)
//channel 0 and 255 has special meaning.
if( (pBeaconReq->channelInfo.channelNum == 0) ||