samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Skip IE which has length less than minimum valid IE length

Browse Source 
QBSS IE uses min length of 4 bytes for version 1 and
min length of 5 bytes for version 2. Min length used
for IE is 5 bytes in driver which can cause WPA IE
parse failure if QBSS IE is 4 bytes resulting in failure
in fetching scan results due to security mismatch and
subsequently connection failure.

Fix is to skip the IE which has length less than the
minimum valid length.

Change-Id: I00fbffad221e2d9ecedcb87c9607ac8abd7c55b1
CRs-Fixed: 2364663
This commit is contained in:
Yeshwanth Sriram Guntuka
2018-12-11 13:13:36 +05:30
committed by nshrivas
parent 4ef9ba2cf8
commit ad31502195
2 changed files with 16 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/mac/src/include/dot11f.h
View File

@@ -26,7 +26,7 @@
* *
* *
* This file was automatically generated by 'framesc' * This file was automatically generated by 'framesc'
* Fri Nov 23 09:33:04 2018 from the following file(s): * Tue Dec 11 13:11:53 2018 from the following file(s):
* *
* dot11f.frms * dot11f.frms
* *

25
core/mac/src/sys/legacy/src/utils/src/dot11f.c
View File

@@ -24,7 +24,7 @@
* *
* *
* This file was automatically generated by 'framesc' * This file was automatically generated by 'framesc'
* Fri Nov 23 09:33:04 2018 from the following file(s): * Tue Dec 11 13:11:53 2018 from the following file(s):
* *
* dot11f.frms * dot11f.frms
* *
@@ -12998,20 +12998,25 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
} }
if (pIe) { if (pIe) {
if ((nBufRemaining < pIe->minSize - pIe->noui - 2U) || if ((nBufRemaining < pIe->minSize - pIe->noui - 2U)) {
(len < pIe->minSize - pIe->noui - 2U)) { FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must "
FRAMES_LOG4(pCtx, FRLOGW, FRFL("The IE %s must "
"be at least %d bytes in size, but " "be at least %d bytes in size, but "
"there are only %d bytes remaining in " "there are only %d bytes remaining in "
"this frame or the IE reports a size " "this frame\n"),
"of %d bytes.\n"), pIe->name, pIe->minSize, nBufRemaining);
pIe->name, pIe->minSize, nBufRemaining,
(len + pIe->noui + 2U));
FRAMES_DUMP(pCtx, FRLOG1, pBuf, nBuf); FRAMES_DUMP(pCtx, FRLOG1, pBuf, nBuf);
status |= DOT11F_INCOMPLETE_IE; status |= DOT11F_INCOMPLETE_IE;
FRAMES_DBG_BREAK(); FRAMES_DBG_BREAK();
goto MandatoryCheck; goto MandatoryCheck;
} else { } else {
if (len < pIe->minSize - pIe->noui - 2U) {
FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must "
"be at least %d bytes in size, but "
"there are only %d bytes in the IE\n"),
pIe->name, pIe->minSize, (len + pIe->noui + 2U));
goto skip_ie;
}
if (len > pIe->maxSize - pIe->noui - 2U) { if (len > pIe->maxSize - pIe->noui - 2U) {
FRAMES_LOG1(pCtx, FRLOGW, FRFL("The IE %s reports " FRAMES_LOG1(pCtx, FRLOGW, FRFL("The IE %s reports "
"an unexpectedly large size; it is presumably " "an unexpectedly large size; it is presumably "
@@ -13025,7 +13030,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
(*(uint16_t *)(pFrm + pIe->countOffset))); (*(uint16_t *)(pFrm + pIe->countOffset)));
if (0 != pIe->arraybound && countOffset >= pIe->arraybound) { if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
status |= DOT11F_DUPLICATE_IE; status |= DOT11F_DUPLICATE_IE;
goto skip_dup_ie; goto skip_ie;
} }
switch (pIe->sig) { switch (pIe->sig) {
case SigIeGTK: case SigIeGTK:
@@ -14547,7 +14552,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
status |= DOT11F_UNKNOWN_IES; status |= DOT11F_UNKNOWN_IES;
} }
skip_dup_ie: skip_ie:
pBufRemaining += len; pBufRemaining += len;
if (len > nBufRemaining) { if (len > nBufRemaining) {