首页 发现 帮助
登录
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

qcacmn: Add frame length check in T2LM action frame parse APIs

Check for frame length before processing the T2LM request and response
action frames.

Change-Id: I3ac1c8f6c2ff58a8c3a6d589fe6485dd97bfce09
CRs-Fixed: 3704794
Shashikala Prabhu 1 年之前
父节点
789b303c02
当前提交
3c0cb90468
共有 1 个文件被更改,包括 19 次插入2 次删除
分列视图 显示文件统计
  1. 19 2
      umac/mlo_mgr/src/wlan_mlo_t2lm.c

+ 19 - 2
umac/mlo_mgr/src/wlan_mlo_t2lm.c
查看文件 

@@ -473,6 +473,7 @@ static QDF_STATUS wlan_mlo_parse_t2lm_request_action_frame(
 
 		enum wlan_t2lm_category category)
 
 {
 
 	uint8_t *t2lm_action_frm;
 
+	uint32_t ie_len_parsed;
 
 
 	t2lm->category = category;
 
 
@@ -488,13 +489,20 @@ static QDF_STATUS wlan_mlo_parse_t2lm_request_action_frame(
 
 	 *-------------------------------------------
 
 	 */
 
 
+	ie_len_parsed = sizeof(*action_frm) + sizeof(uint8_t);
 
+
 
+	if (frame_len < ie_len_parsed) {
 
+		t2lm_err("Action frame length %d too short", frame_len);
 
+		return QDF_STATUS_E_FAILURE;
 
+	}
 
+
 
 	t2lm_action_frm = (uint8_t *)action_frm + sizeof(*action_frm);
 
 
 	t2lm->dialog_token = *t2lm_action_frm;
 
 
 	return wlan_mlo_parse_t2lm_ie(t2lm,
 
 				      t2lm_action_frm + sizeof(uint8_t),
 
-				      frame_len);
 
+				      frame_len - ie_len_parsed);
 
 }
 
 
 /**
 
@@ -515,6 +523,7 @@ static QDF_STATUS wlan_mlo_parse_t2lm_response_action_frame(
 
 {
 
 	uint8_t *t2lm_action_frm;
 
 	QDF_STATUS ret_val = QDF_STATUS_SUCCESS;
 
+	uint32_t ie_len_parsed;
 
 
 	t2lm->category = WLAN_T2LM_CATEGORY_RESPONSE;
 
 	/*
 
@@ -529,6 +538,14 @@ static QDF_STATUS wlan_mlo_parse_t2lm_response_action_frame(
 
 	 *----------------------------------------------------
 
 	 */
 
 
+	ie_len_parsed = sizeof(*action_frm) + sizeof(uint8_t) +
 
+			sizeof(uint16_t);
 
+
 
+	if (frame_len < ie_len_parsed) {
 
+		t2lm_err("Action frame length %d too short", frame_len);
 
+		return QDF_STATUS_E_FAILURE;
 
+	}
 
+
 
 	t2lm_action_frm = (uint8_t *)action_frm + sizeof(*action_frm);
 
 
 	t2lm->dialog_token = *t2lm_action_frm;
 
@@ -539,7 +556,7 @@ static QDF_STATUS wlan_mlo_parse_t2lm_response_action_frame(
 
 			WLAN_T2LM_RESP_TYPE_PREFERRED_TID_TO_LINK_MAPPING) {
 
 		t2lm_action_frm += sizeof(uint8_t) + sizeof(uint16_t);
 
 		ret_val = wlan_mlo_parse_t2lm_ie(t2lm, t2lm_action_frm,
 
-						 frame_len);
 
+						 frame_len - ie_len_parsed);
 
 	}
 
 
 	return ret_val;