Acasă Explorează Ajutor
Autentificare
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Bifurcare 0
Fisiere Probleme 0 Trageți solicitările 0 Wiki
Răsfoiți Sursa

qcacmn: Add frame length check in T2LM action frame parse APIs

Check for frame length before processing the T2LM request and response
action frames.

Change-Id: I3ac1c8f6c2ff58a8c3a6d589fe6485dd97bfce09
CRs-Fixed: 3704794
Shashikala Prabhu 1 an în urmă
părinte
789b303c02
comite
3c0cb90468
1 a modificat fișierele cu 19 adăugiri și 2 ștergeri
Vizualizare divizată Arată Statisticile Diff
  1. 19 2
      umac/mlo_mgr/src/wlan_mlo_t2lm.c

+ 19 - 2
umac/mlo_mgr/src/wlan_mlo_t2lm.c
Vizualizați fișierul 

@@ -473,6 +473,7 @@ static QDF_STATUS wlan_mlo_parse_t2lm_request_action_frame(
 
 		enum wlan_t2lm_category category)
 
 {
 
 	uint8_t *t2lm_action_frm;
 
+	uint32_t ie_len_parsed;
 
 
 	t2lm->category = category;
 
 
@@ -488,13 +489,20 @@ static QDF_STATUS wlan_mlo_parse_t2lm_request_action_frame(
 
 	 *-------------------------------------------
 
 	 */
 
 
+	ie_len_parsed = sizeof(*action_frm) + sizeof(uint8_t);
 
+
 
+	if (frame_len < ie_len_parsed) {
 
+		t2lm_err("Action frame length %d too short", frame_len);
 
+		return QDF_STATUS_E_FAILURE;
 
+	}
 
+
 
 	t2lm_action_frm = (uint8_t *)action_frm + sizeof(*action_frm);
 
 
 	t2lm->dialog_token = *t2lm_action_frm;
 
 
 	return wlan_mlo_parse_t2lm_ie(t2lm,
 
 				      t2lm_action_frm + sizeof(uint8_t),
 
-				      frame_len);
 
+				      frame_len - ie_len_parsed);
 
 }
 
 
 /**
 
@@ -515,6 +523,7 @@ static QDF_STATUS wlan_mlo_parse_t2lm_response_action_frame(
 
 {
 
 	uint8_t *t2lm_action_frm;
 
 	QDF_STATUS ret_val = QDF_STATUS_SUCCESS;
 
+	uint32_t ie_len_parsed;
 
 
 	t2lm->category = WLAN_T2LM_CATEGORY_RESPONSE;
 
 	/*
 
@@ -529,6 +538,14 @@ static QDF_STATUS wlan_mlo_parse_t2lm_response_action_frame(
 
 	 *----------------------------------------------------
 
 	 */
 
 
+	ie_len_parsed = sizeof(*action_frm) + sizeof(uint8_t) +
 
+			sizeof(uint16_t);
 
+
 
+	if (frame_len < ie_len_parsed) {
 
+		t2lm_err("Action frame length %d too short", frame_len);
 
+		return QDF_STATUS_E_FAILURE;
 
+	}
 
+
 
 	t2lm_action_frm = (uint8_t *)action_frm + sizeof(*action_frm);
 
 
 	t2lm->dialog_token = *t2lm_action_frm;
 
@@ -539,7 +556,7 @@ static QDF_STATUS wlan_mlo_parse_t2lm_response_action_frame(
 
 			WLAN_T2LM_RESP_TYPE_PREFERRED_TID_TO_LINK_MAPPING) {
 
 		t2lm_action_frm += sizeof(uint8_t) + sizeof(uint16_t);
 
 		ret_val = wlan_mlo_parse_t2lm_ie(t2lm, t2lm_action_frm,
 
-						 frame_len);
 
+						 frame_len - ie_len_parsed);
 
 	}
 
 
 	return ret_val;