qcacld-2.0: Fix potential OOB read when indicate mgmt frame
In function __hdd_indicate_mgmt_frame, it doesn't check mgmt frame length and access pointer to frame, which cause OOB read potentially. So, check frame length before access pointer to frame. Change-Id: Id2bd4276838f1eae49e8a24e8ab3361a69321a69 CRs-Fixed: 2429210
This commit is contained in:
parent
2d37893dce
commit
436baac58f
|
@ -2426,6 +2426,7 @@ void __hdd_indicate_mgmt_frame(hdd_adapter_t *pAdapter,
|
|||
/* Get pAdapter from Destination mac address of the frame */
|
||||
if ((type == SIR_MAC_MGMT_FRAME) &&
|
||||
(subType != SIR_MAC_MGMT_PROBE_REQ) &&
|
||||
(nFrameLength > WLAN_HDD_80211_FRM_DA_OFFSET + VOS_MAC_ADDR_SIZE) &&
|
||||
!vos_is_macaddr_broadcast(
|
||||
(v_MACADDR_t *)&pbFrames[WLAN_HDD_80211_FRM_DA_OFFSET]))
|
||||
{
|
||||
|
@ -2483,12 +2484,16 @@ void __hdd_indicate_mgmt_frame(hdd_adapter_t *pAdapter,
|
|||
cfgState = WLAN_HDD_GET_CFG_STATE_PTR( pAdapter );
|
||||
|
||||
if ((type == SIR_MAC_MGMT_FRAME) &&
|
||||
(subType == SIR_MAC_MGMT_ACTION) && !broadcast)
|
||||
(subType == SIR_MAC_MGMT_ACTION) && !broadcast &&
|
||||
(nFrameLength > WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET + 1))
|
||||
{
|
||||
if(pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET] == WLAN_HDD_PUBLIC_ACTION_FRAME)
|
||||
{
|
||||
// public action frame
|
||||
if((pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+1] == SIR_MAC_ACTION_VENDOR_SPECIFIC) &&
|
||||
if((WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET + SIR_MAC_P2P_OUI_SIZE + 2 <
|
||||
nFrameLength) &&
|
||||
(pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+1] ==
|
||||
SIR_MAC_ACTION_VENDOR_SPECIFIC) &&
|
||||
vos_mem_compare(&pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+2], SIR_MAC_P2P_OUI, SIR_MAC_P2P_OUI_SIZE))
|
||||
// P2P action frames
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue