qcacld-2.0: Add max index check for dscp_to_up_map array
qcacld-3.0 to qcacld-2.0 propagation. In SME layer, boundary check for dscp_to_up_map array is not present. The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions are used to index dscpmapping. The indices are not validated to be less than 0x40. The dscp_exceptions array is received from association response frame. A malicious AP can send values up to 0xff, causing OOB write of dscpmapping array. Hence, max index check is added to avoid OOB write of dscpmapping array. Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e CRs-Fixed: 2585141
This commit is contained in:
parent
1f47112c47
commit
8262069aee
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
|
||||
* Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||||
*
|
||||
|
@ -1158,7 +1158,7 @@ struct hdd_adapter_s
|
|||
v_BOOL_t offloads_configured;
|
||||
|
||||
/* DSCP to UP QoS Mapping */
|
||||
sme_QosWmmUpType hddWmmDscpToUpMap[WLAN_HDD_MAX_DSCP+1];
|
||||
sme_QosWmmUpType hddWmmDscpToUpMap[WLAN_MAX_DSCP+1];
|
||||
|
||||
#ifdef WLAN_FEATURE_LINK_LAYER_STATS
|
||||
v_BOOL_t isLinkLayerStatsSet;
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2013-2017 The Linux Foundation. All rights reserved.
|
||||
* Copyright (c) 2013-2017, 2019, 2020 The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||||
*
|
||||
|
@ -83,9 +83,6 @@
|
|||
#define WMM_TRACE_LEVEL_INFO_LOW VOS_TRACE_LEVEL_INFO_LOW
|
||||
#endif
|
||||
|
||||
|
||||
#define WLAN_HDD_MAX_DSCP 0x3f
|
||||
|
||||
// DHCP Port number
|
||||
#define DHCP_SOURCE_PORT 0x4400
|
||||
#define DHCP_DESTINATION_PORT 0x4300
|
||||
|
@ -1518,7 +1515,7 @@ VOS_STATUS hdd_wmm_init ( hdd_adapter_t *pAdapter )
|
|||
* DSCP to User Priority Lookup Table
|
||||
* By default use the 3 Precedence bits of DSCP as the User Priority
|
||||
*/
|
||||
for (dscp = 0; dscp <= WLAN_HDD_MAX_DSCP; dscp++) {
|
||||
for (dscp = 0; dscp <= WLAN_MAX_DSCP; dscp++) {
|
||||
hddWmmDscpToUpMap[dscp] = dscp >> 3;
|
||||
}
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2014 The Linux Foundation. All rights reserved.
|
||||
* Copyright (c) 2014, 2016, 2020 The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||||
*
|
||||
|
@ -57,6 +57,7 @@
|
|||
#define SME_QOS_UAPSD_VI 0x02
|
||||
#define SME_QOS_UAPSD_BE 0x08
|
||||
#define SME_QOS_UAPSD_BK 0x04
|
||||
#define WLAN_MAX_DSCP 0x3f
|
||||
|
||||
/*--------------------------------------------------------------------------
|
||||
Type declarations
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
/*
|
||||
* Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
|
||||
* Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
|
||||
*
|
||||
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
|
||||
*
|
||||
|
@ -15182,25 +15182,13 @@ VOS_STATUS sme_UpdateDSCPtoUPMapping( tHalHandle hHal,
|
|||
for (i = 0; i < SME_QOS_WMM_UP_MAX; i++)
|
||||
{
|
||||
for (j = pSession->QosMapSet.dscp_range[i][0];
|
||||
j <= pSession->QosMapSet.dscp_range[i][1]; j++)
|
||||
{
|
||||
if ((pSession->QosMapSet.dscp_range[i][0] == 255) &&
|
||||
(pSession->QosMapSet.dscp_range[i][1] == 255))
|
||||
{
|
||||
VOS_TRACE(VOS_MODULE_ID_SME, VOS_TRACE_LEVEL_ERROR,
|
||||
"%s: User Priority %d is not used in mapping",
|
||||
__func__, i);
|
||||
break;
|
||||
}
|
||||
else
|
||||
{
|
||||
dscpmapping[j]= i;
|
||||
}
|
||||
}
|
||||
j <= pSession->QosMapSet.dscp_range[i][1] &&
|
||||
j <= WLAN_MAX_DSCP; j++)
|
||||
dscpmapping[j]= i;
|
||||
}
|
||||
for (i = 0; i< pSession->QosMapSet.num_dscp_exceptions; i++)
|
||||
{
|
||||
if (pSession->QosMapSet.dscp_exceptions[i][0] != 255)
|
||||
if (pSession->QosMapSet.dscp_exceptions[i][0] <= WLAN_MAX_DSCP)
|
||||
{
|
||||
dscpmapping[pSession->QosMapSet.dscp_exceptions[i][0] ] =
|
||||
pSession->QosMapSet.dscp_exceptions[i][1];
|
||||
|
|
Loading…
Reference in New Issue