qcacld-2.0: Add max index check for dscp_to_up_map array

qcacld-3.0 to qcacld-2.0 propagation. In SME layer, boundary check for dscp_to_up_map array is not present. The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions are used to index dscpmapping. The indices are not validated to be less than 0x40. The dscp_exceptions array is received from association response frame. A malicious AP can send values up to 0xff, causing OOB write of dscpmapping array. Hence, max index check is added to avoid OOB write of dscpmapping array. Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e CRs-Fixed: 2585141
2020-01-07 15:22:45 +08:00 · 2020-01-07 15:22:45 +08:00 · 8262069aee
parent 1f47112c47
commit 8262069aee
4 changed files with 11 additions and 25 deletions
--- a/drivers/net/wireless/qcacld-2.0/CORE/HDD/inc/wlan_hdd_main.h
+++ b/drivers/net/wireless/qcacld-2.0/CORE/HDD/inc/wlan_hdd_main.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
 *
 * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
 *
@ -1158,7 +1158,7 @@ struct hdd_adapter_s
    v_BOOL_t offloads_configured;

    /* DSCP to UP QoS Mapping */
-    sme_QosWmmUpType hddWmmDscpToUpMap[WLAN_HDD_MAX_DSCP+1];
+    sme_QosWmmUpType hddWmmDscpToUpMap[WLAN_MAX_DSCP+1];

 #ifdef WLAN_FEATURE_LINK_LAYER_STATS
   v_BOOL_t isLinkLayerStatsSet;
--- a/drivers/net/wireless/qcacld-2.0/CORE/HDD/src/wlan_hdd_wmm.c
+++ b/drivers/net/wireless/qcacld-2.0/CORE/HDD/src/wlan_hdd_wmm.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2013-2017, 2019, 2020 The Linux Foundation. All rights reserved.
 *
 * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
 *
@ -83,9 +83,6 @@
 #define WMM_TRACE_LEVEL_INFO_LOW   VOS_TRACE_LEVEL_INFO_LOW
 #endif

-
-#define WLAN_HDD_MAX_DSCP 0x3f
-
 // DHCP Port number
 #define DHCP_SOURCE_PORT 0x4400
 #define DHCP_DESTINATION_PORT 0x4300
@ -1518,7 +1515,7 @@ VOS_STATUS hdd_wmm_init ( hdd_adapter_t *pAdapter )
    * DSCP to User Priority Lookup Table
    * By default use the 3 Precedence bits of DSCP as the User Priority
    */
-   for (dscp = 0; dscp <= WLAN_HDD_MAX_DSCP; dscp++) {
+   for (dscp = 0; dscp <= WLAN_MAX_DSCP; dscp++) {
      hddWmmDscpToUpMap[dscp] = dscp >> 3;
   }

--- a/drivers/net/wireless/qcacld-2.0/CORE/SME/inc/sme_QosApi.h
+++ b/drivers/net/wireless/qcacld-2.0/CORE/SME/inc/sme_QosApi.h
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2014 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2014, 2016, 2020 The Linux Foundation. All rights reserved.
 *
 * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
 *
@ -57,6 +57,7 @@
 #define SME_QOS_UAPSD_VI      0x02
 #define SME_QOS_UAPSD_BE      0x08
 #define SME_QOS_UAPSD_BK      0x04
+#define WLAN_MAX_DSCP         0x3f

 /*--------------------------------------------------------------------------
  Type declarations
--- a/drivers/net/wireless/qcacld-2.0/CORE/SME/src/sme_common/sme_Api.c
+++ b/drivers/net/wireless/qcacld-2.0/CORE/SME/src/sme_common/sme_Api.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
 *
 * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
 *
@ -15182,25 +15182,13 @@ VOS_STATUS sme_UpdateDSCPtoUPMapping( tHalHandle hHal,
            for (i = 0; i < SME_QOS_WMM_UP_MAX; i++)
            {
                for (j = pSession->QosMapSet.dscp_range[i][0];
-                               j <= pSession->QosMapSet.dscp_range[i][1]; j++)
-                {
-                   if ((pSession->QosMapSet.dscp_range[i][0] == 255) &&
-                                (pSession->QosMapSet.dscp_range[i][1] == 255))
-                   {
-                       VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR,
-                       "%s: User Priority %d is not used in mapping",
-                                                             __func__, i);
-                       break;
-                   }
-                   else
-                   {
-                       dscpmapping[j]= i;
-                   }
-                }
+                               j <= pSession->QosMapSet.dscp_range[i][1] &&
+                               j <= WLAN_MAX_DSCP; j++)
+                    dscpmapping[j]= i;
            }
            for (i = 0; i< pSession->QosMapSet.num_dscp_exceptions; i++)
            {
-                if (pSession->QosMapSet.dscp_exceptions[i][0] != 255)
+                if (pSession->QosMapSet.dscp_exceptions[i][0] <= WLAN_MAX_DSCP)
                {
                    dscpmapping[pSession->QosMapSet.dscp_exceptions[i][0] ] =
                                         pSession->QosMapSet.dscp_exceptions[i][1];