Merge "wifihal: Fix possible buffer-overflow during TLV read" into wlan-aosp.lnx.6.0

author: CNSS_WLAN Service <cnssbldsw@qualcomm.com> 2021-02-03 01:04:15 -0800
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2021-02-03 01:04:15 -0800
commit: bd7c38edbba78d7d0a584c31fe5418f2450dc587 (patch)
tree: 0497d61cb0ff481f7958f17a439e65659d2e0b01
parent: b3ce7366e73876855c2e88130de2347d1b3a74b4 (diff)
parent: 7068d82e1e9fedcccdef19b64227bfb07663dc52 (diff)
4 files changed, 26 insertions, 12 deletions
diff --git a/qcwcn/wifi_hal/nan.cpp b/qcwcn/wifi_hal/nan.cpp
index 3df67f9..2428e1d 100644
--- a/qcwcn/wifi_hal/nan.cpp
+++ b/qcwcn/wifi_hal/nan.cpp
@@ -1393,7 +1393,7 @@ u16 NANTLV_WriteTlv(pNanTlv pInTlv, u8 *pOutTlv)
     return writeLen;
 }
 
-u16 NANTLV_ReadTlv(u8 *pInTlv, pNanTlv pOutTlv)
+u16 NANTLV_ReadTlv(u8 *pInTlv, pNanTlv pOutTlv, int inBufferSize)
 {
     u16 readLen = 0;
 
@@ -1409,6 +1409,12 @@ u16 NANTLV_ReadTlv(u8 *pInTlv, pNanTlv pOutTlv)
         return readLen;
     }
 
+    if(inBufferSize < NAN_TLV_HEADER_SIZE) {
+        ALOGE("Insufficient length to process TLV header, inBufferSize = %d",
+              inBufferSize);
+        return readLen;
+    }
+
     pOutTlv->type = *pInTlv++;
     pOutTlv->type |= *pInTlv++ << 8;
     readLen += 2;
@@ -1419,6 +1425,12 @@ u16 NANTLV_ReadTlv(u8 *pInTlv, pNanTlv pOutTlv)
     pOutTlv->length |= *pInTlv++ << 8;
     readLen += 2;
 
+    if(pOutTlv->length > inBufferSize - NAN_TLV_HEADER_SIZE) {
+        ALOGE("Insufficient length to process TLV header, inBufferSize = %d",
+              inBufferSize);
+        return readLen;
+    }
+
     ALOGV("READ TLV length %u, readLen %u", pOutTlv->length, readLen);
 
     if (pOutTlv->length) {
diff --git a/qcwcn/wifi_hal/nan_i.h b/qcwcn/wifi_hal/nan_i.h
index f79d842..d9aa39c 100644
--- a/qcwcn/wifi_hal/nan_i.h
+++ b/qcwcn/wifi_hal/nan_i.h
@@ -340,6 +340,8 @@ typedef enum
 #define NAN_WINDOW_DW   0
 #define NAN_WINDOW_FAW  1
 
+#define NAN_TLV_HEADER_SIZE 4
+
 /* NAN Error Rsp */
 typedef struct PACKED
 {
@@ -786,7 +788,7 @@ typedef struct PACKED
 
 /* Function Declarations */
 u8* addTlv(u16 type, u16 length, const u8* value, u8* pOutTlv);
-u16 NANTLV_ReadTlv(u8 *pInTlv, pNanTlv pOutTlv);
+u16 NANTLV_ReadTlv(u8 *pInTlv, pNanTlv pOutTlv, int inBufferSize);
 u16 NANTLV_WriteTlv(pNanTlv pInTlv, u8 *pOutTlv);
 
 /* NAN Beacon Sdf Payload Req */
diff --git a/qcwcn/wifi_hal/nan_ind.cpp b/qcwcn/wifi_hal/nan_ind.cpp
index 6496314..834cc2a 100644
--- a/qcwcn/wifi_hal/nan_ind.cpp
+++ b/qcwcn/wifi_hal/nan_ind.cpp
@@ -227,7 +227,7 @@ int NanCommand::getNanPublishReplied(NanPublishRepliedInd *event)
         return WIFI_SUCCESS;
     }
     while ((remainingLen > 0) &&
-           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv)))) {
+           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv, remainingLen)))) {
         switch (outputTlv.type) {
         case NAN_TLV_TYPE_MAC_ADDRESS:
             if (outputTlv.length > sizeof(event->addr)) {
@@ -296,7 +296,7 @@ int NanCommand::getNanMatch(NanMatchInd *event)
     }
     ALOGV("%s: TLV remaining Len:%d",__func__, remainingLen);
     while ((remainingLen > 0) &&
-           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv)))) {
+           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv, remainingLen)))) {
         ALOGV("%s: Remaining Len:%d readLen:%d type:%d length:%d",
               __func__, remainingLen, readLen, outputTlv.type,
               outputTlv.length);
@@ -484,7 +484,7 @@ int NanCommand::getNanFollowup(NanFollowupInd *event)
     }
     ALOGV("%s: TLV remaining Len:%d",__func__, remainingLen);
     while ((remainingLen > 0) &&
-           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv)))) {
+           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv, remainingLen)))) {
         ALOGV("%s: Remaining Len:%d readLen:%d type:%d length:%d",
               __func__, remainingLen, readLen, outputTlv.type,
               outputTlv.length);
@@ -548,7 +548,7 @@ int NanCommand::getNanDiscEngEvent(NanDiscEngEventInd *event)
 
     ALOGV("%s: TLV remaining Len:%d",__func__, remainingLen);
     while ((remainingLen > 0) &&
-           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv)))) {
+           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv, remainingLen)))) {
         ALOGV("%s: Remaining Len:%d readLen:%d type:%d length:%d",
               __func__, remainingLen, readLen, outputTlv.type,
               outputTlv.length);
@@ -635,7 +635,7 @@ int NanCommand::getNanTca(NanTCAInd *event)
 
     ALOGV("%s: TLV remaining Len:%d",__func__, remainingLen);
     while ((remainingLen > 0) &&
-           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv)))) {
+           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv, remainingLen)))) {
         ALOGV("%s: Remaining Len:%d readLen:%d type:%d length:%d",
               __func__, remainingLen, readLen, outputTlv.type,
               outputTlv.length);
@@ -688,7 +688,7 @@ int NanCommand::getNanBeaconSdfPayload(NanBeaconSdfPayloadInd *event)
 
     ALOGV("%s: TLV remaining Len:%d",__func__, remainingLen);
     while ((remainingLen > 0) &&
-           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv)))) {
+           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv, remainingLen)))) {
         ALOGV("%s: Remaining Len:%d readLen:%d type:%d length:%d",
               __func__, remainingLen, readLen, outputTlv.type,
               outputTlv.length);
@@ -811,7 +811,7 @@ int NanCommand::getNanReceivePostDiscoveryVal(const u8 *pInValue,
 
     ALOGV("%s: TLV remaining Len:%d",__func__, remainingLen);
     while ((remainingLen > 0) &&
-           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv)))) {
+           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv, remainingLen)))) {
         ALOGV("%s: Remaining Len:%d readLen:%d type:%d length:%d",
               __func__, remainingLen, readLen, outputTlv.type,
               outputTlv.length);
@@ -1299,7 +1299,7 @@ int NanCommand::getNanRangeRequestReceivedInd(NanRangeRequestInd *event)
 
     ALOGV("%s: TLV remaining Len:%d",__func__, remainingLen);
     while ((remainingLen > 0) &&
-           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv)))) {
+           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv, remainingLen)))) {
         ALOGV("%s: Remaining Len:%d readLen:%d type:%d length:%d",
               __func__, remainingLen, readLen, outputTlv.type,
               outputTlv.length);
@@ -1348,7 +1348,7 @@ int NanCommand::getNanRangeReportInd(NanRangeReportInd *event)
 
     ALOGV("%s: TLV remaining Len:%d",__func__, remainingLen);
     while ((remainingLen > 0) &&
-           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv)))) {
+           (0 != (readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv, remainingLen)))) {
         ALOGV("%s: Remaining Len:%d readLen:%d type:%d length:%d",
               __func__, remainingLen, readLen, outputTlv.type,
               outputTlv.length);
diff --git a/qcwcn/wifi_hal/nan_rsp.cpp b/qcwcn/wifi_hal/nan_rsp.cpp
index 2ab0a5d..b461b88 100644
--- a/qcwcn/wifi_hal/nan_rsp.cpp
+++ b/qcwcn/wifi_hal/nan_rsp.cpp
@@ -513,7 +513,7 @@ int NanCommand::getNanResponse(transaction_id *id, NanResponseMsg *pRsp)
             int remainingLen = (mNanDataLen -  \
                 (sizeof(NanMsgHeader) + sizeof(NanStatsRspParams)));
             if (remainingLen > 0) {
-                readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv);
+                readLen = NANTLV_ReadTlv(pInputTlv, &outputTlv, remainingLen);
                 ALOGV("%s: Remaining Len:%d readLen:%d type:%d length:%d",
                       __func__, remainingLen, readLen, outputTlv.type,
                       outputTlv.length);
author	CNSS_WLAN Service <cnssbldsw@qualcomm.com>	2021-02-03 01:04:15 -0800
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2021-02-03 01:04:15 -0800
commit	bd7c38edbba78d7d0a584c31fe5418f2450dc587 (patch)
tree	0497d61cb0ff481f7958f17a439e65659d2e0b01
parent	b3ce7366e73876855c2e88130de2347d1b3a74b4 (diff)
parent	7068d82e1e9fedcccdef19b64227bfb07663dc52 (diff)