Prechádzať zdrojové kódy

qcacld-3.0: Fix null pointer dereference of additional_ie

The add_ie pointer can be NULL and is dereferenced in
lim_send_assoc_req_mgmt_frame() without validation.

Add NULL pointer validation for add_ie before passing it to
wlan_get_ie_ptr_from_eid().

Change-Id: I3f7c9c54874511ea7de43366cc0e3cb2deffc182
CRs-Fixed: 3273518
Pragaspathi Thilagaraj 2 rokov pred
rodič
commit
d680301aa1

+ 4 - 3
core/mac/src/pe/lim/lim_send_management_frames.c

@@ -2780,8 +2780,8 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 	if (lim_is_fils_connection(pe_session)) {
 		populate_dot11f_fils_params(mac_ctx, frm, pe_session);
 		aes_block_size_len = AES_BLOCK_SIZE;
-		if (wlan_get_ie_ptr_from_eid(WLAN_ELEMID_FRAGMENT,
-					     add_ie, add_ie_len))
+		if (add_ie && wlan_get_ie_ptr_from_eid(WLAN_ELEMID_FRAGMENT,
+						       add_ie, add_ie_len))
 			frag_ie_present = true;
 	}
 
@@ -2820,7 +2820,8 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 	}
 
 	/* RSNX IE for SAE PWE derivation based on H2E */
-	if (wlan_get_ie_ptr_from_eid(WLAN_ELEMID_RSNXE, add_ie, add_ie_len)) {
+	if (add_ie &&
+	    wlan_get_ie_ptr_from_eid(WLAN_ELEMID_RSNXE, add_ie, add_ie_len)) {
 		rsnx_ie = qdf_mem_malloc(WLAN_MAX_IE_LEN + 2);
 		if (!rsnx_ie)
 			goto end;