This repository has been archived by the owner on Dec 28, 2020. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
qcacld-3.0: Fix OOB read in sme_rrm_process_beacon_report_req_ind
When beacon report request action frame is received, rrm_process_beacon_report_req() is called and num_channels value is calculated from the action frame directly from user. This value is assigned to pSmeBcnReportReq->channelList.numChannels and this num channels value along with the channel list is posted to sme for further processing. The sme function sme_rrm_process_beacon_report_req_ind() processes this sme message eWNI_SME_BEACON_REPORT_REQ_IND. In this function, the channels in channel list are looped through the received value pBeaconReq->channelList.numChannels and is copied to the destination pSmeRrmContext->channelList array from the pBeaconReq->channelList.channelNumber[] array. The maximum possible number of channels in channel list BeaconReq->channelList.channelNumber[] allocated statically in the definition of tSirChannelList is SIR_ESE_MAX_MEAS_IE_REQS (8). So when the pBeaconReq->channelList.numChannels, possible OOB read occurs. Validate the value of pBeaconReq->channelList.numChannels received from the action frame against the maximum supported number of channels in channel list SIR_ESE_MAX_MEAS_IE_REQS (8). Place this validation inside the function sme_rrm_process_beacon_report_req_ind() instead of validating it at rrm_process_beacon_report_req() so that it defends from other caller sme_set_ese_beacon_request() which is from user space command through IOCTL. Change-Id: I2074b04081328ceab7eeb29c33631a635e9d93c3 CRs-Fixed: 2335974 Bug: 125677804 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com> Signed-off-by: Adam W. Willis <return.of.octobot@gmail.com>
- Loading branch information
