android/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: OOB while parsing ML per STA profile

Browse Source 
Currently, while parsing the per STA profile IE, driver tries to
access the EXTN element ID without checking IE len. When IE len
is zero, if driver tries to access the IE after IE header then it
will leads to out of bound error.

So, to fix this, add check for IE len before accessing it.

Change-Id: I30d3fae9aaedc0011a2d3415e273d5e32db2d56e
CRs-Fixed: 3852338
This commit is contained in:
Rahul Gusain 2024-06-28 15:40:42 +05:30 committed by Ravindra Konda
parent 97f3bdc18e
commit 608d3ddcb6
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
umac/mlo_mgr/src/utils_mlo.c
View File

@ -5080,6 +5080,16 @@ util_parse_pamlie_perstaprofile_stactrl(uint8_t *subelempayload,
break;
case WLAN_ELEMID_EXTN_ELEM:
extn_ie = (struct extn_ie_header *)ie;
/**
* Zero IE len means there is no IE contents (EXT ID)
* and so, if IE is dereferenced after IE len then it
* can leads to out of bound error.
* | IE ID | IE len | EXT ID |
*/
if (!extn_ie->ie_len) {
mlo_err_rl("extn element has zero len");
return QDF_STATUS_E_PROTO;
}
switch (extn_ie->ie_extn_id) {
case WLAN_EXTN_ELEMID_MUEDCA:
if (extn_ie->ie_len == WLAN_MAX_MUEDCA_IE_LEN) {