Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Add extended capabilities IE length check

When send assoc req frame, if the length for extended capabilities
IE is zero, but present field is non-zero, it will cause assoc req
frame malformed issue.

Fix is to set present field value to zero when the length for
extended capabilities IE is zero.

Change-Id: Ie8826e6cfb1fc3a44ee52115ad4482e040f2c38a
CRs-Fixed: 3085943
Huashan Qu 3 years ago
parent
2ebb5a37c1
commit
9560cddbc1
2 changed files with 12 additions and 2 deletions
Split View Show Diff Stats
  1. 2 2
      core/mac/src/pe/lim/lim_utils.c
  2. 10 0
      core/mac/src/sys/legacy/src/utils/src/parser_api.c

+ 2 - 2
core/mac/src/pe/lim/lim_utils.c
View File 

@@ -6351,7 +6351,7 @@ void lim_merge_extcap_struct(tDot11fIEExtCap *dst,
 
 
 	pe_debug("source extended capabilities length:%d", src->num_bytes);
 
 	QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_PE, QDF_TRACE_LEVEL_DEBUG,
 
-			   src, src->num_bytes);
 
+			   src->bytes, src->num_bytes);
 
 
 	/* Return if strip the capabilities from @dst which not present */
 
 	if (!dst->present && !add)
 
@@ -6374,7 +6374,7 @@ void lim_merge_extcap_struct(tDot11fIEExtCap *dst,
 
 		pe_debug("destination extended capabilities length: %d",
 
 			 dst->num_bytes);
 
 		QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_PE, QDF_TRACE_LEVEL_DEBUG,
 
-				   dst, dst->num_bytes);
 
+				   dst->bytes, dst->num_bytes);
 
 	}
 
 }

+ 10 - 0
core/mac/src/sys/legacy/src/utils/src/parser_api.c
View File 

@@ -7654,6 +7654,7 @@ QDF_STATUS populate_dot11f_twt_extended_caps(struct mac_context *mac_ctx,
 
 
 	dot11f->num_bytes = DOT11F_IE_EXTCAP_MAX_LEN;
 
 	p_ext_cap = (struct s_ext_cap *)dot11f->bytes;
 
+	dot11f->present = 1;
 
 
 	if (pe_session->opmode == QDF_STA_MODE)
 
 		p_ext_cap->twt_requestor_support =
 
@@ -7666,6 +7667,10 @@ QDF_STATUS populate_dot11f_twt_extended_caps(struct mac_context *mac_ctx,
 
 			mac_ctx->mlme_cfg->twt_cfg.res_flag;
 
 
 	dot11f->num_bytes = lim_compute_ext_cap_ie_length(dot11f);
 
+	if (!dot11f->num_bytes) {
 
+		dot11f->present = 0;
 
+		pe_debug("ext ie length become 0, disable the ext caps");
 
+	}
 
 
 	return QDF_STATUS_SUCCESS;
 
 }
 
@@ -8424,6 +8429,7 @@ QDF_STATUS populate_dot11f_btm_extended_caps(struct mac_context *mac_ctx,
 
 	pe_debug("enter");
 
 	dot11f->num_bytes = DOT11F_IE_EXTCAP_MAX_LEN;
 
 	p_ext_cap = (struct s_ext_cap *)dot11f->bytes;
 
+	dot11f->present = 1;
 
 
 	status = cm_akm_roam_allowed(mac_ctx->psoc, pe_session->vdev);
 
 	if (QDF_IS_STATUS_ERROR(status)) {
 
@@ -8432,6 +8438,10 @@ QDF_STATUS populate_dot11f_btm_extended_caps(struct mac_context *mac_ctx,
 
 	}
 
 
 	dot11f->num_bytes = lim_compute_ext_cap_ie_length(dot11f);
 
+	if (!dot11f->num_bytes) {
 
+		dot11f->present = 0;
 
+		pe_debug("ext ie length become 0, disable the ext caps");
 
+	}
 
 
 	return QDF_STATUS_SUCCESS;
 
 }