Página Principal Explorar Ajuda
Iniciar Sessão
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ver Fonte

qcacld-3.0: Fix integer overflow in rrm_fill_beacon_ies()

In rrm_fill_beacon_ies(), the len is the total length of
IE + 2 bytes for element ID (1 byte) and length of the
IE(1 byte). Length is defined of type uint8_t and can have
only values upto 255. When the IE content length is 254,
adding 2 bytes to this will cause the len to overflow
resulting in continuous loop in rrm_fill_beacon_ies.

Change the len type to uint16_t to avoid integer overflow.

Change-Id: Id6a6bcce150f778e24316ccc5fb51c6e2a95fc5e
CRs-Fixed: 2537774
Pragaspathi Thilagaraj há 5 anos atrás
pai
2feaa0a946
commit
3548a66560
1 ficheiros alterados com 17 adições e 26 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 17 26
      core/mac/src/pe/rrm/rrm_api.c

+ 17 - 26
core/mac/src/pe/rrm/rrm_api.c
Ver Ficheiro 

@@ -650,37 +650,28 @@ rrm_process_beacon_report_req(struct mac_context *mac,
 
 	return eRRM_SUCCESS;
 
 }
 
 
-/* -------------------------------------------------------------------- */
 
 /**
 
- * rrm_fill_beacon_ies
 
- *
 
- * FUNCTION:
 
- *
 
- * LOGIC: Fills Fixed fields and Ies in bss description to an array of uint8_t.
 
- *
 
- * ASSUMPTIONS:
 
- *
 
- * NOTE:
 
- *
 
- * @param pIes - pointer to the buffer that should be populated with ies.
 
- * @param pNumIes - returns the num of ies filled in this param.
 
- * @param pIesMaxSize - Max size of the buffer pIes.
 
- * @param eids - pointer to array of eids. If NULL, all ies will be populated.
 
- * @param numEids - number of elements in array eids.
 
+ * rrm_fill_beacon_ies() - Fills fixed fields and Ies in bss description to an
 
+ * array of uint8_t.
 
+ * @pIes - pointer to the buffer that should be populated with ies.
 
+ * @pNumIes - returns the num of ies filled in this param.
 
+ * @pIesMaxSize - Max size of the buffer pIes.
 
+ * @eids - pointer to array of eids. If NULL, all ies will be populated.
 
+ * @numEids - number of elements in array eids.
 
  * @start_offset: Offset from where the IEs in the bss_desc should be parsed
 
- * @param bss_desc - pointer to Bss Description.
 
+ * @bss_desc - pointer to Bss Description.
 
  *
 
- * Returns: Remaining length of IEs in current bss_desc which are not included
 
- *	    in pIes.
 
+ * Return: Remaining length of IEs in current bss_desc which are not included
 
+ *	   in pIes.
 
  */
 
 static uint8_t
 
-rrm_fill_beacon_ies(struct mac_context *mac,
 
-		    uint8_t *pIes, uint8_t *pNumIes, uint8_t pIesMaxSize,
 
-		    uint8_t *eids, uint8_t numEids, uint8_t start_offset,
 
+rrm_fill_beacon_ies(struct mac_context *mac, uint8_t *pIes,
 
+		    uint8_t *pNumIes, uint8_t pIesMaxSize, uint8_t *eids,
 
+		    uint8_t numEids, uint8_t start_offset,
 
 		    struct bss_description *bss_desc)
 
 {
 
-	uint8_t len, *pBcnIes, count = 0, i;
 
-	uint16_t BcnNumIes, total_ies_len;
 
+	uint8_t *pBcnIes, count = 0, i;
 
+	uint16_t BcnNumIes, total_ies_len, len;
 
 	uint8_t rem_len = 0;
 
 
 	if ((!pIes) || (!pNumIes) || (!bss_desc)) {
 
@@ -729,8 +720,8 @@ rrm_fill_beacon_ies(struct mac_context *mac,
 
 		pe_debug("EID = %d, len = %d total = %d",
 
 			*pBcnIes, *(pBcnIes + 1), len);
 
 
-		if (!len) {
 
-			pe_err("Invalid length");
 
+		if (len <= 2) {
 
+			pe_err("RRM: Invalid IE");
 
 			break;
 
 		}