BACKPORT: qcacmn: Fix potential OOB read in util_scan_parse_rnr_ie

Currently, while parsing scan RNR Ie data is moved to next neighbor_ap_info_field after parsing the current neighbor_ap_info_field. But in last iteration pointer may try to access invalid data if (uint8_t *)ie + rnr_ie_len + 2) bytes are less than sizeof neighbor_ap_info_field and same is the case with tbtt_length access. Fix is to add a length check of data + next data size to be parsed < (uint8_t *)ie + rnr_ie_len + 2) instead of adding a validation of data length only. CRs-Fixed: 3710080 Change-Id: I05e5a9a02f0f4f9bc468db894588e676f0a248c0
2024-04-17 15:39:57 +05:30
parent d4244a4269
commit 19be8f1d72
1 changed files with 4 additions and 2 deletions
--- a/drivers/staging/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/drivers/staging/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c
@@ -709,7 +709,8 @@ util_scan_parse_rnr_ie(struct scan_cache_entry *scan_entry,
 	rnr_ie_len = ie->ie_len;
 	data = (uint8_t *)ie + sizeof(struct ie_header);

-	while (data < ((uint8_t *)ie + rnr_ie_len + 2)) {
+	while ((data + sizeof(struct neighbor_ap_info_field)) <=
+					((uint8_t *)ie + rnr_ie_len + 2)) {
 		neighbor_ap_info = (struct neighbor_ap_info_field *)data;
 		tbtt_count = neighbor_ap_info->tbtt_header.tbtt_info_count;
 		tbtt_length = neighbor_ap_info->tbtt_header.tbtt_info_length;
@@ -725,7 +726,8 @@ util_scan_parse_rnr_ie(struct scan_cache_entry *scan_entry,
 			break;

 		for (i = 0; i < (tbtt_count + 1) &&
-		     data < ((uint8_t *)ie + rnr_ie_len + 2); i++) {
+		     (data + tbtt_length) <=
+				((uint8_t *)ie + rnr_ie_len + 2); i++) {
 			if (i < MAX_RNR_BSS)
 				util_scan_update_rnr(
 					&scan_entry->rnr.bss_info[i],