lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix potential OOB read in dot11f.c

Browse Source 
In function get_container_ies_len, nBuf is passed from caller function
as length of the buffer remaining in the frame. len is calculated from
the length field present in the IE. Then find_ie_defn is called with
nBuf + len as buffer length available leading to potential OOB read
in the function find_ie_defn.
Also in function get_container_ies_len, if len is greater than nBuf,
OOB read would occur in the caller function unpack_core.

In function unpack_core, len is calculated from the length field in
the IE buffer, then the IE is parsed in one of the unpack functions
where len is decremented without any check for min value of len.
If the value of len obtained from the IE buffer is less than the
minSize of the IE, then an integer underflow would occur.

1. In function get_container_ies_len, change calling of find_ie_defn
to use nbuf - len.
2. In function get_container_ies_len, if len > nbuf, return error.
3. In function unpack_core, add sanity check to make sure len is not
less thatn IE's minSize.

Change-Id: I8e42fb7e9674845d152d2ec26a592e02a1b562ab
CRs-Fixed: 2153003
This commit is contained in:
Vignesh Viswanathan 2017-12-13 10:11:09 +05:30 committed by snandini
parent f72ed5e06e
commit ac6f2c30ac
2 changed files with 13 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/mac/src/include/dot11f.h
View File

@ -35,7 +35,7 @@
*
*
* This file was automatically generated by 'framesc'
* Thu Dec 7 00:22:18 2017 from the following file(s):
* Wed Dec 13 10:10:49 2017 from the following file(s):
*
* dot11f.frms
*

20
core/mac/src/sys/legacy/src/utils/src/dot11f.c
View File

@ -33,7 +33,7 @@
*
*
* This file was automatically generated by 'framesc'
* Thu Dec 7 00:22:18 2017 from the following file(s):
* Wed Dec 13 10:10:49 2017 from the following file(s):
*
* dot11f.frms
*
@ -340,7 +340,7 @@ static uint32_t get_container_ies_len(tpAniSirGlobal pCtx,
pBufRemaining += len + 2;
len += 2;
while (len < nBuf) {
pIe = find_ie_defn(pCtx, pBufRemaining, nBuf + len, IEs);
pIe = find_ie_defn(pCtx, pBufRemaining, nBuf - len, IEs);
if (NULL == pIe)
break;
if (pIe->eid == pIeFirst->eid)
@ -349,7 +349,7 @@ static uint32_t get_container_ies_len(tpAniSirGlobal pCtx,
pBufRemaining += *(pBufRemaining + 1) + 2;
}
if (len > 0xFF)
if ((len > 0xFF) || (len > nBuf))
return DOT11F_INTERNAL_ERROR;
*pnConsumed = len;
return DOT11F_PARSE_SUCCESS;
@ -10571,11 +10571,15 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
}
if (pIe) {
if (nBufRemaining < pIe->minSize - pIe->noui - 2U) {
FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must be "
"at least %d bytes in size, but there are onl"
"y %d bytes remaining in this frame.\n"),
pIe->name, pIe->minSize, nBufRemaining);
if ((nBufRemaining < pIe->minSize - pIe->noui - 2U) ||
(len < pIe->minSize - pIe->noui - 2U)) {
FRAMES_LOG4(pCtx, FRLOGW, FRFL("The IE %s must "
"be at least %d bytes in size, but "
"there are only %d bytes remaining in "
"this frame or the IE reports a size "
"of %d bytes.\n"),
pIe->name, pIe->minSize, nBufRemaining,
(len + pIe->noui + 2U));
FRAMES_DUMP(pCtx, FRLOG1, pBuf, nBuf);
status |= DOT11F_INCOMPLETE_IE;
FRAMES_DBG_BREAK();