qcacld-3.0: Skip IE which has length less than minimum valid IE length

QBSS IE uses min length of 4 bytes for version 1 and min length of 5 bytes for version 2. Min length used for IE is 5 bytes in driver which can cause WPA IE parse failure if QBSS IE is 4 bytes resulting in failure in fetching scan results due to security mismatch and subsequently connection failure. Fix is to skip the IE which has length less than the minimum valid length. Change-Id: I00fbffad221e2d9ecedcb87c9607ac8abd7c55b1 CRs-Fixed: 2364663
2018-12-11 13:13:36 +05:30
Commit ad31502195
--- a/core/mac/src/include/dot11f.h
+++ b/core/mac/src/include/dot11f.h
@@ -26,7 +26,7 @@
 *
 *
 * This file was automatically generated by 'framesc'
- * Fri Nov 23 09:33:04 2018 from the following file(s):
+ * Tue Dec 11 13:11:53 2018 from the following file(s):
 *
 * dot11f.frms
 *
--- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
@@ -24,7 +24,7 @@
 *
 *
 * This file was automatically generated by 'framesc'
- * Fri Nov 23 09:33:04 2018 from the following file(s):
+ * Tue Dec 11 13:11:53 2018 from the following file(s):
 *
 * dot11f.frms
 *
@@ -12998,20 +12998,25 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
 		}

 		if (pIe) {
-			if ((nBufRemaining < pIe->minSize - pIe->noui - 2U) ||
-			    (len < pIe->minSize - pIe->noui - 2U)) {
-				FRAMES_LOG4(pCtx, FRLOGW, FRFL("The IE %s must "
+			if ((nBufRemaining < pIe->minSize - pIe->noui - 2U)) {
+				FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must "
 					"be at least %d bytes in size, but "
 					"there are only %d bytes remaining in "
-					"this frame or the IE reports a size "
-					"of %d bytes.\n"),
-					pIe->name, pIe->minSize, nBufRemaining,
-					(len + pIe->noui + 2U));
+					"this frame\n"),
+					pIe->name, pIe->minSize, nBufRemaining);
 				FRAMES_DUMP(pCtx, FRLOG1, pBuf, nBuf);
 				status |= DOT11F_INCOMPLETE_IE;
 				FRAMES_DBG_BREAK();
 				goto MandatoryCheck;
 			} else {
+				if (len < pIe->minSize - pIe->noui - 2U) {
+					FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must "
+							"be at least %d bytes in size, but "
+							"there are only %d bytes in the IE\n"),
+							pIe->name, pIe->minSize, (len + pIe->noui + 2U));
+					goto skip_ie;
+				}
+
 				if (len > pIe->maxSize - pIe->noui - 2U) {
 				FRAMES_LOG1(pCtx, FRLOGW, FRFL("The IE %s reports "
 					"an unexpectedly large size; it is presumably "
@@ -13025,7 +13030,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
 						(*(uint16_t *)(pFrm + pIe->countOffset)));
 				if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
 					status |= DOT11F_DUPLICATE_IE;
-					goto skip_dup_ie;
+					goto skip_ie;
 				}
 				switch (pIe->sig) {
 				case SigIeGTK:
@@ -14547,7 +14552,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
 			status |= DOT11F_UNKNOWN_IES;
 		}

-skip_dup_ie:
+skip_ie:
 		pBufRemaining += len;

 		if (len > nBufRemaining) {