samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix interop VHT vendor IE parse error

Browse Source 
Currently when parsing interop VHT vendor IE, it will have OOB
read when only VHT cap IE is present.

Try to read VHT op IE only when it is present.

Change-Id: Id1919a0ed1df56ecef54d6cb663c10cbcae5065f
CRs-Fixed: 2453071
This commit is contained in:
Min Liu
2019-05-17 13:29:00 +08:00
committed by nshrivas
parent ad4eded14b
commit b218312e75
1 changed files with 14 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
umac/scan/dispatcher/src/wlan_scan_utils_api.c
View File

@@ -434,7 +434,7 @@ util_scan_parse_vendor_ie(struct scan_cache_entry *scan_params,
ie)->hi_ie); ie)->hi_ie);
} }
} else if (is_interop_vht((uint8_t *)ie) && } else if (is_interop_vht((uint8_t *)ie) &&
!(scan_params->ie_list.vhtop)) { !(scan_params->ie_list.vhtcap)) {
uint8_t *vendor_ie = (uint8_t *)(ie); uint8_t *vendor_ie = (uint8_t *)(ie);
if (ie->ie_len < ((WLAN_VENDOR_VHTCAP_IE_OFFSET + if (ie->ie_len < ((WLAN_VENDOR_VHTCAP_IE_OFFSET +
@@ -450,17 +450,19 @@ util_scan_parse_vendor_ie(struct scan_cache_entry *scan_params,
WLAN_VENDOR_VHTCAP_IE_OFFSET); WLAN_VENDOR_VHTCAP_IE_OFFSET);
if (ie->ie_len > ((WLAN_VENDOR_VHTCAP_IE_OFFSET + if (ie->ie_len > ((WLAN_VENDOR_VHTCAP_IE_OFFSET +
sizeof(struct wlan_ie_vhtcaps)) - sizeof(struct wlan_ie_vhtcaps)) -
sizeof(struct ie_header)) && sizeof(struct ie_header))) {
ie->ie_len < ((WLAN_VENDOR_VHTOP_IE_OFFSET + if (ie->ie_len < ((WLAN_VENDOR_VHTOP_IE_OFFSET +
sizeof(struct wlan_ie_vhtop)) - sizeof(struct wlan_ie_vhtop)) -
sizeof(struct ie_header))) sizeof(struct ie_header)))
return QDF_STATUS_E_INVAL; return QDF_STATUS_E_INVAL;
vendor_ie = ((uint8_t *)(ie)) + WLAN_VENDOR_VHTOP_IE_OFFSET; vendor_ie = ((uint8_t *)(ie)) +
if (vendor_ie[1] != (sizeof(struct wlan_ie_vhtop) - WLAN_VENDOR_VHTOP_IE_OFFSET;
sizeof(struct ie_header))) if (vendor_ie[1] != (sizeof(struct wlan_ie_vhtop) -
return QDF_STATUS_E_INVAL; sizeof(struct ie_header)))
scan_params->ie_list.vhtop = (((uint8_t *)(ie)) + return QDF_STATUS_E_INVAL;
WLAN_VENDOR_VHTOP_IE_OFFSET); scan_params->ie_list.vhtop = (((uint8_t *)(ie)) +
WLAN_VENDOR_VHTOP_IE_OFFSET);
}
} else if (is_bwnss_oui((uint8_t *)ie)) { } else if (is_bwnss_oui((uint8_t *)ie)) {
/* /*
* Bandwidth-NSS map has sub-type & version. * Bandwidth-NSS map has sub-type & version.