Home Esplora Aiuto
Accedi
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Forka 0
File Problemi 0 Pull Requests 0 Wiki
Sfoglia il codice sorgente

qcacld-3.0: Fix invalid bss descriptor length check

bss_descriptor->length is calculated as:
bss_desc->length = ie_length + sizeof(*bss_desc) -
                   sizeof(bss_desc->len)

In wlan_get_ielen_from_bss_description(), the bss_desc length is
validated as below to return failure if ie_length is 0:
=> (bss_desc->length - sizeof(bss_desc->len)) <= ieFields_offset
Since the bss_desc->length already has the sizeof(bss_desc->len)
subtracted while it was populated.
So this could return failure, if the SSID IE length is less than
or equal to 4.
To avoid this, change the failure condition as below:
(bss_desc->length <= (ieFields_offset - sizeof(bss_desc->len))

Change-Id: Ib0af8e967c26ff0ca9a3b8c44107be4e80378e01
CRs-Fixed: 3022657
Pragaspathi Thilagaraj 3 anni fa
parent
33ec87f37a
commit
6d69abef11
1 ha cambiato i file con 9 aggiunte e 2 eliminazioni
Visualizzazione separata Mostra Diff Stats
  1. 9 2
      core/mac/src/sys/legacy/src/utils/src/parser_api.c

+ 9 - 2
core/mac/src/sys/legacy/src/utils/src/parser_api.c
Vedi File 

@@ -8571,9 +8571,16 @@ wlan_get_ielen_from_bss_description(struct bss_description *bss_desc)
 
 
 	ieFields_offset = GET_FIELD_OFFSET(struct bss_description, ieFields);
 
 
-	if ((!bss_desc || !bss_desc->length) ||
 
-	    (bss_desc->length - sizeof(bss_desc->length) <= ieFields_offset))
 
+	if (!bss_desc) {
 
+		pe_err_rl("Bss_desc is NULL");
 
 		return 0;
 
+	}
 
+
 
+	if (bss_desc->length <= (ieFields_offset - sizeof(bss_desc->length))) {
 
+		pe_err_rl("Invalid bss_desc len:%d ie_fields_offset:%d",
 
+			  bss_desc->length, ieFields_offset);
 
+		return 0;
 
+	}
 
 
 	/*
 
 	 * Length of BSS desription is without length of