samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Add length check in beacon IE parsing function

Browse Source 
Add length check in scan beacon IE processing function for the below IEs to
avoid any possible memory corruption.

1. WLAN_ELEMID_COUNTRY
2. WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH
3. WLAN_ELEMID_VHT_TX_PWR_ENVLP
4. WLAN_EXTN_ELEMID_MAX_CHAN_SWITCH_TIME

Change-Id: I860bee8633849215d46c2dfe60a1a98d7c80f510
CRs-Fixed: 2873039
This commit is contained in:
Shashikala Prabhu
2021-02-08 13:02:49 +05:30
committed by snandini
parent 07c4fc98d1
commit b69d3780be
2 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
View File

@@ -150,6 +150,17 @@
#define WLAN_TPE_IE_MIN_LEN 2
#define WLAN_MAX_NUM_TPE_IE 2
/* Wide band channel switch IE length */
#define WLAN_WIDE_BW_CHAN_SWITCH_IE_LEN 3
/* Number of max TX power elements supported plus size of Transmit Power
* Information element.
*/
#define WLAN_TPE_IE_MAX_LEN 9
/* Max channel switch time IE length */
#define WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN 4
/* HT capability flags */
#define WLAN_HTCAP_C_ADVCODING 0x0001
#define WLAN_HTCAP_C_CHWIDTH40 0x0002

8
umac/scan/dispatcher/src/wlan_scan_utils_api.c
View File

@@ -590,12 +590,18 @@ util_scan_parse_chan_switch_wrapper_ie(struct scan_cache_entry *scan_params,
}
switch (sub_ie->ie_id) {
case WLAN_ELEMID_COUNTRY:
if (sub_ie->ie_len < WLAN_COUNTRY_IE_MIN_LEN)
return QDF_STATUS_E_INVAL;
scan_params->ie_list.country = (uint8_t *)sub_ie;
break;
case WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH:
if (sub_ie->ie_len != WLAN_WIDE_BW_CHAN_SWITCH_IE_LEN)
return QDF_STATUS_E_INVAL;
scan_params->ie_list.widebw = (uint8_t *)sub_ie;
break;
case WLAN_ELEMID_VHT_TX_PWR_ENVLP:
if (sub_ie->ie_len > WLAN_TPE_IE_MAX_LEN)
return QDF_STATUS_E_INVAL;
scan_params->ie_list.txpwrenvlp = (uint8_t *)sub_ie;
break;
}
@@ -762,6 +768,8 @@ util_scan_parse_extn_ie(struct scan_cache_entry *scan_params,
switch (extn_ie->ie_extn_id) {
case WLAN_EXTN_ELEMID_MAX_CHAN_SWITCH_TIME:
if (extn_ie->ie_len != WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN)
return QDF_STATUS_E_INVAL;
scan_params->ie_list.mcst = (uint8_t *)ie;
break;
case WLAN_EXTN_ELEMID_SRP: