qcacmn: Drop fragmented multicast/broadcast frames

CVE-2020-26145
Broadcast and multicast frames should never be fragmented. Several devices
process broadcasted fragments as normal unfragmented frames. Moreover, some
devices accept plaintext fragmented broadcast or multicast frames in
protected Wi-Fi networks. An adversary can abuse this to inject packets
by encapsulating them in a fragmented plaintext broadcast frame. Even
unicast packets can be encapsulated in broadcast Wi-Fi frames and hence
be injected.

Change-Id: I3181a05e177cf9374a14edb748bc5001d058e0f3
CRs-Fixed: 2893212

dp/wifi3.0/dp_rx_defrag.c

@@ -930,6 +930,17 @@ dp_rx_construct_fraglist(struct dp_peer *peer, int tid, qdf_nbuf_t head,
 		prev_pn128[0] = cur_pn128[0];
 		prev_pn128[1] = cur_pn128[1];
 
+		/*
+		 * Broadcast and multicast frames should never be fragmented.
+		 * Iterating through all msdus and dropping fragments if even
+		 * one of them has mcast/bcast destination address.
+		 */
+		if (hal_rx_msdu_is_wlan_mcast(msdu)) {
+			QDF_TRACE(QDF_MODULE_ID_TXRX, QDF_TRACE_LEVEL_ERROR,
+				  "Dropping multicast/broadcast fragments");
+			return QDF_STATUS_E_FAILURE;
+		}
+
 		dp_rx_frag_pull_hdr(msdu, hdrsize);
 		len += qdf_nbuf_len(msdu);
 		msdu = qdf_nbuf_next(msdu);