qcacld-2.0: Fix potential OOB read when indicate mgmt frame

In function __hdd_indicate_mgmt_frame, it doesn't check mgmt frame length and access pointer to frame, which cause OOB read potentially. So, check frame length before access pointer to frame. Change-Id: Id2bd4276838f1eae49e8a24e8ab3361a69321a69 CRs-Fixed: 2429210
2019-04-02 13:31:41 +08:00 · 2019-04-02 13:31:41 +08:00 · 436baac58f
parent 2d37893dce
commit 436baac58f
1 changed files with 7 additions and 2 deletions
--- a/drivers/net/wireless/qcacld-2.0/CORE/HDD/src/wlan_hdd_p2p.c
+++ b/drivers/net/wireless/qcacld-2.0/CORE/HDD/src/wlan_hdd_p2p.c
@ -2426,6 +2426,7 @@ void __hdd_indicate_mgmt_frame(hdd_adapter_t *pAdapter,
    /* Get pAdapter from Destination mac address of the frame */
    if ((type == SIR_MAC_MGMT_FRAME) &&
        (subType != SIR_MAC_MGMT_PROBE_REQ) &&
+        (nFrameLength > WLAN_HDD_80211_FRM_DA_OFFSET + VOS_MAC_ADDR_SIZE) &&
        !vos_is_macaddr_broadcast(
         (v_MACADDR_t *)&pbFrames[WLAN_HDD_80211_FRM_DA_OFFSET]))
    {
@ -2483,12 +2484,16 @@ void __hdd_indicate_mgmt_frame(hdd_adapter_t *pAdapter,
    cfgState = WLAN_HDD_GET_CFG_STATE_PTR( pAdapter );

    if ((type == SIR_MAC_MGMT_FRAME) &&
-        (subType == SIR_MAC_MGMT_ACTION) && !broadcast)
+        (subType == SIR_MAC_MGMT_ACTION) && !broadcast &&
+        (nFrameLength > WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET + 1))
    {
        if(pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET] == WLAN_HDD_PUBLIC_ACTION_FRAME)
        {
            // public action frame
-            if((pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+1] == SIR_MAC_ACTION_VENDOR_SPECIFIC) &&
+            if((WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET + SIR_MAC_P2P_OUI_SIZE + 2 <
+                nFrameLength) &&
+               (pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+1] ==
+                SIR_MAC_ACTION_VENDOR_SPECIFIC) &&
                vos_mem_compare(&pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+2], SIR_MAC_P2P_OUI, SIR_MAC_P2P_OUI_SIZE))
            // P2P action frames
            {