Página Principal Explorar Ajuda
Iniciar Sessão
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ver Fonte

qcacld-3.0: Skip IE which has length less than minimum valid IE length

QBSS IE uses min length of 4 bytes for version 1 and
min length of 5 bytes for version 2. Min length used
for IE is 5 bytes in driver which can cause WPA IE
parse failure if QBSS IE is 4 bytes resulting in failure
in fetching scan results due to security mismatch and
subsequently connection failure.

Fix is to skip the IE which has length less than the
minimum valid length.

Change-Id: I00fbffad221e2d9ecedcb87c9607ac8abd7c55b1
CRs-Fixed: 2364663
Yeshwanth Sriram Guntuka há 6 anos atrás
pai
4ef9ba2cf8
commit
ad31502195
2 ficheiros alterados com 16 adições e 11 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 1 1
      core/mac/src/include/dot11f.h
  2. 15 10
      core/mac/src/sys/legacy/src/utils/src/dot11f.c

+ 1 - 1
core/mac/src/include/dot11f.h
Ver Ficheiro 

@@ -26,7 +26,7 @@
 
  *
 
  *
 
  * This file was automatically generated by 'framesc'
 
- * Fri Nov 23 09:33:04 2018 from the following file(s):
 
+ * Tue Dec 11 13:11:53 2018 from the following file(s):
 
  *
 
  * dot11f.frms
 
  *

+ 15 - 10
core/mac/src/sys/legacy/src/utils/src/dot11f.c
Ver Ficheiro 

@@ -24,7 +24,7 @@
 
  *
 
  *
 
  * This file was automatically generated by 'framesc'
 
- * Fri Nov 23 09:33:04 2018 from the following file(s):
 
+ * Tue Dec 11 13:11:53 2018 from the following file(s):
 
  *
 
  * dot11f.frms
 
  *
 
@@ -12998,20 +12998,25 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
 
 		}
 
 
 		if (pIe) {
 
-			if ((nBufRemaining < pIe->minSize - pIe->noui - 2U) ||
 
-			    (len < pIe->minSize - pIe->noui - 2U)) {
 
-				FRAMES_LOG4(pCtx, FRLOGW, FRFL("The IE %s must "
 
+			if ((nBufRemaining < pIe->minSize - pIe->noui - 2U)) {
 
+				FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must "
 
 					"be at least %d bytes in size, but "
 
 					"there are only %d bytes remaining in "
 
-					"this frame or the IE reports a size "
 
-					"of %d bytes.\n"),
 
-					pIe->name, pIe->minSize, nBufRemaining,
 
-					(len + pIe->noui + 2U));
 
+					"this frame\n"),
 
+					pIe->name, pIe->minSize, nBufRemaining);
 
 				FRAMES_DUMP(pCtx, FRLOG1, pBuf, nBuf);
 
 				status |= DOT11F_INCOMPLETE_IE;
 
 				FRAMES_DBG_BREAK();
 
 				goto MandatoryCheck;
 
 			} else {
 
+				if (len < pIe->minSize - pIe->noui - 2U) {
 
+					FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must "
 
+							"be at least %d bytes in size, but "
 
+							"there are only %d bytes in the IE\n"),
 
+							pIe->name, pIe->minSize, (len + pIe->noui + 2U));
 
+					goto skip_ie;
 
+				}
 
+
 
 				if (len > pIe->maxSize - pIe->noui - 2U) {
 
 				FRAMES_LOG1(pCtx, FRLOGW, FRFL("The IE %s reports "
 
 					"an unexpectedly large size; it is presumably "
 
@@ -13025,7 +13030,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
 
 						(*(uint16_t *)(pFrm + pIe->countOffset)));
 
 				if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
 
 					status |= DOT11F_DUPLICATE_IE;
 
-					goto skip_dup_ie;
 
+					goto skip_ie;
 
 				}
 
 				switch (pIe->sig) {
 
 				case SigIeGTK:
 
@@ -14547,7 +14552,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
 
 			status |= DOT11F_UNKNOWN_IES;
 
 		}
 
 
-skip_dup_ie:
 
+skip_ie:
 
 		pBufRemaining += len;
 
 
 		if (len > nBufRemaining) {