qcacld-2.0: Fix integer overflow in rrmFillBeaconIes()

In function rrmFillBeaconIes, the total IE length is calculated as sum of length field of the IE and 2 (element id 1 bytr and IE length field 1 byte). The total IE length is defined of type uint16_t and will overflow if the *(pBcnIes + 1) = 0xfe. Validate the len against total IE length to avoid overfloa. Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88 CRs-Fixed: 2617005
2020-02-15 20:35:55 +08:00 · 2020-02-15 20:35:55 +08:00 · 9354ce454d
parent 47e4e3d2af
commit 9354ce454d
1 changed files with 8 additions and 2 deletions
--- a/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
+++ b/drivers/net/wireless/qcacld-2.0/CORE/MAC/src/pe/rrm/rrmApi.c
@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved.
 *
 * Previously licensed under the ISC license by Qualcomm Atheros, Inc.
 *
@ -710,10 +710,16 @@ rrmFillBeaconIes( tpAniSirGlobal pMac,

   while ( BcnNumIes > 0 )
   {
-      len = *(pBcnIes + 1) + 2; //element id + length.
+      len = *(pBcnIes + 1);
+      len += 2;            //element id + length.
      limLog( pMac, LOG3, "EID = %d, len = %d total = %d",
             *pBcnIes, *(pBcnIes+1), len );

+      if (BcnNumIes < len) {
+          limLog(pMac, LOGE, "RRM: Invalid IE len: %d, exp_len: %d",
+                 len, BcnNumIes);
+          break;
+      }
      i = 0;
      do
      {