diff options
| author | Jyoti Kumari <jyotkuma@codeaurora.org> | 2021-08-11 13:15:02 +0530 |
|---|---|---|
| committer | Hsiu Chang Chen <hsiuchangchen@google.com> | 2021-11-15 09:52:14 +0000 |
| commit | bb3768591e25cc1a5c6c7f2ecafd8e7dea5fdf00 (patch) | |
| tree | 97ff08f7ae94f12352a6d5c9757d0990eae1c350 | |
| parent | a9242cd34deaeea9aef26ba56ae2ac1aa528eba2 (diff) | |
| download | qca-wfi-host-cmn-bb3768591e25cc1a5c6c7f2ecafd8e7dea5fdf00.tar.gz | |
qcacmn: Fix OOB read issue in SSID ie
During beacon or probe response, if channel is dfs && frame type
is MGMT_SUBTYPE_BEACON, it would call "util_scan_add_hidden_ssid"
to deal with the packet. If the ie id matches with SSID then OOB
read may occur in ie_len as it is validated with upper bound of
ie_ssid.
Validate the ie length first. If it is more than 0 then copy
memory to SSID which are equivalent to ie length.
Bug: 204905738
Test: Regression test
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Ib5e2ab7f6f3337d4c3e5c240e3133d8f276be50a
CRs-Fixed: 3007473
| -rw-r--r-- | umac/scan/dispatcher/src/wlan_scan_utils_api.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/umac/scan/dispatcher/src/wlan_scan_utils_api.c index b1c9ea5ac..a882d7969 100644 --- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c +++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c @@ -938,7 +938,7 @@ util_scan_add_hidden_ssid(struct wlan_objmgr_pdev *pdev, qdf_nbuf_t bcnbuf) uint16_t tmplen, ie_length; uint8_t *pbeacon, *tmp; bool set_ssid_flag = false; - struct ie_ssid *ssid; + struct ie_ssid ssid = {0}; uint8_t pdev_id; if (!pdev) { @@ -987,8 +987,15 @@ util_scan_add_hidden_ssid(struct wlan_objmgr_pdev *pdev, qdf_nbuf_t bcnbuf) sizeof(struct ie_header))) { return QDF_STATUS_E_INVAL; } - ssid = (struct ie_ssid *)ie; - if (util_scan_is_hidden_ssid(ssid)) { + ssid.ssid_id = ie->ie_id; + ssid.ssid_len = ie->ie_len; + + if (ssid.ssid_len) + qdf_mem_copy(ssid.ssid, + ie + sizeof(struct ie_header), + ssid.ssid_len); + + if (util_scan_is_hidden_ssid(&ssid)) { set_ssid_flag = true; ssid_ie_start_offset = bcn_ie_offset - sizeof(struct ie_header); @@ -1015,7 +1022,7 @@ util_scan_add_hidden_ssid(struct wlan_objmgr_pdev *pdev, qdf_nbuf_t bcnbuf) if (set_ssid_flag) { /* Hidden SSID if the Length is 0 */ - if (!ssid->ssid_len) { + if (!ssid.ssid_len) { /* increase the taillength by length of ssid */ if (qdf_nbuf_put_tail(bcnbuf, conf_ssid->length) == NULL) { @@ -1048,7 +1055,7 @@ util_scan_add_hidden_ssid(struct wlan_objmgr_pdev *pdev, qdf_nbuf_t bcnbuf) qdf_mem_free(tmp); /* Hidden ssid with all 0's */ - } else if (ssid->ssid_len == conf_ssid->length) { + } else if (ssid.ssid_len == conf_ssid->length) { /* Insert the SSID string */ qdf_mem_copy((pbeacon + ssid_ie_start_offset + sizeof(struct ie_header)), |