Página Principal Explorar Ajuda
Iniciar Sessão
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Ficheiros Problemas 0 Pull Requests 0 Wiki
Ver Fonte

qcacmn: Add length check in beacon IE parsing function

Add length check in scan beacon IE processing function for the below IEs to
avoid any possible memory corruption.

1. WLAN_ELEMID_COUNTRY
2. WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH
3. WLAN_ELEMID_VHT_TX_PWR_ENVLP
4. WLAN_EXTN_ELEMID_MAX_CHAN_SWITCH_TIME

Change-Id: I860bee8633849215d46c2dfe60a1a98d7c80f510
CRs-Fixed: 2873039
Shashikala Prabhu há 4 anos atrás
pai
07c4fc98d1
commit
b69d3780be
2 ficheiros alterados com 19 adições e 0 exclusões
Visão Dividida Mostrar Estatísticas Diff
  1. 11 0
      umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
  2. 8 0
      umac/scan/dispatcher/src/wlan_scan_utils_api.c

+ 11 - 0
umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
Ver Ficheiro 

@@ -150,6 +150,17 @@
 
 #define WLAN_TPE_IE_MIN_LEN                      2
 
 #define WLAN_MAX_NUM_TPE_IE                      2
 
 
+/* Wide band channel switch IE length */
 
+#define WLAN_WIDE_BW_CHAN_SWITCH_IE_LEN          3
 
+
 
+/* Number of max TX power elements supported plus size of Transmit Power
 
+ * Information element.
 
+ */
 
+#define WLAN_TPE_IE_MAX_LEN                      9
 
+
 
+/* Max channel switch time IE length */
 
+#define WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN         4
 
+
 
 /* HT capability flags */
 
 #define WLAN_HTCAP_C_ADVCODING             0x0001
 
 #define WLAN_HTCAP_C_CHWIDTH40             0x0002

+ 8 - 0
umac/scan/dispatcher/src/wlan_scan_utils_api.c
Ver Ficheiro 

@@ -590,12 +590,18 @@ util_scan_parse_chan_switch_wrapper_ie(struct scan_cache_entry *scan_params,
 
 		}
 
 		switch (sub_ie->ie_id) {
 
 		case WLAN_ELEMID_COUNTRY:
 
+			if (sub_ie->ie_len < WLAN_COUNTRY_IE_MIN_LEN)
 
+				return QDF_STATUS_E_INVAL;
 
 			scan_params->ie_list.country = (uint8_t *)sub_ie;
 
 			break;
 
 		case WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH:
 
+			if (sub_ie->ie_len != WLAN_WIDE_BW_CHAN_SWITCH_IE_LEN)
 
+				return QDF_STATUS_E_INVAL;
 
 			scan_params->ie_list.widebw = (uint8_t *)sub_ie;
 
 			break;
 
 		case WLAN_ELEMID_VHT_TX_PWR_ENVLP:
 
+			if (sub_ie->ie_len > WLAN_TPE_IE_MAX_LEN)
 
+				return QDF_STATUS_E_INVAL;
 
 			scan_params->ie_list.txpwrenvlp = (uint8_t *)sub_ie;
 
 			break;
 
 		}
 
@@ -762,6 +768,8 @@ util_scan_parse_extn_ie(struct scan_cache_entry *scan_params,
 
 
 	switch (extn_ie->ie_extn_id) {
 
 	case WLAN_EXTN_ELEMID_MAX_CHAN_SWITCH_TIME:
 
+		if (extn_ie->ie_len != WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN)
 
+			return QDF_STATUS_E_INVAL;
 
 		scan_params->ie_list.mcst  = (uint8_t *)ie;
 
 		break;
 
 	case WLAN_EXTN_ELEMID_SRP: