samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
程式碼 問題 合併請求 Actions 套件 專案 版本發布 Wiki 動態

qcacld-3.0: Fix null pointer dereference of additional_ie

瀏覽代碼 
The add_ie pointer can be NULL and is dereferenced in
lim_send_assoc_req_mgmt_frame() without validation.

Add NULL pointer validation for add_ie before passing it to
wlan_get_ie_ptr_from_eid().

Change-Id: I3f7c9c54874511ea7de43366cc0e3cb2deffc182
CRs-Fixed: 3273518
此提交包含在:
Pragaspathi Thilagaraj
2022-08-23 11:49:53 +05:30
提交者 Madan Koyyalamudi
父節點 8028f13a5a
當前提交 d680301aa1
共有 1 個檔案被更改,包括 4 行新增3 行删除
下載 Patch 檔 下載差異檔 展開所有檔案 折疊所有檔案

7
core/mac/src/pe/lim/lim_send_management_frames.c
查看文件

@@ -2780,8 +2780,8 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
if (lim_is_fils_connection(pe_session)) { if (lim_is_fils_connection(pe_session)) {
populate_dot11f_fils_params(mac_ctx, frm, pe_session); populate_dot11f_fils_params(mac_ctx, frm, pe_session);
aes_block_size_len = AES_BLOCK_SIZE; aes_block_size_len = AES_BLOCK_SIZE;
if (wlan_get_ie_ptr_from_eid(WLAN_ELEMID_FRAGMENT, if (add_ie && wlan_get_ie_ptr_from_eid(WLAN_ELEMID_FRAGMENT,
add_ie, add_ie_len)) add_ie, add_ie_len))
frag_ie_present = true; frag_ie_present = true;
} }
@@ -2820,7 +2820,8 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
} }
/* RSNX IE for SAE PWE derivation based on H2E */ /* RSNX IE for SAE PWE derivation based on H2E */
if (wlan_get_ie_ptr_from_eid(WLAN_ELEMID_RSNXE, add_ie, add_ie_len)) { if (add_ie &&
wlan_get_ie_ptr_from_eid(WLAN_ELEMID_RSNXE, add_ie, add_ie_len)) {
rsnx_ie = qdf_mem_malloc(WLAN_MAX_IE_LEN + 2); rsnx_ie = qdf_mem_malloc(WLAN_MAX_IE_LEN + 2);
if (!rsnx_ie) if (!rsnx_ie)
goto end; goto end;