samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix null pointer dereference of additional_ie

Browse Source 
The add_ie pointer can be NULL and is dereferenced in
lim_send_assoc_req_mgmt_frame() without validation.

Add NULL pointer validation for add_ie before passing it to
wlan_get_ie_ptr_from_eid().

Change-Id: I3f7c9c54874511ea7de43366cc0e3cb2deffc182
CRs-Fixed: 3273518
This commit is contained in:
Pragaspathi Thilagaraj
2022-08-23 11:49:53 +05:30
committed by Madan Koyyalamudi
parent 8028f13a5a
commit d680301aa1
1 changed files with 4 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
core/mac/src/pe/lim/lim_send_management_frames.c
View File

@@ -2780,7 +2780,7 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
if (lim_is_fils_connection(pe_session)) {
populate_dot11f_fils_params(mac_ctx, frm, pe_session);
aes_block_size_len = AES_BLOCK_SIZE;
if (wlan_get_ie_ptr_from_eid(WLAN_ELEMID_FRAGMENT,
if (add_ie && wlan_get_ie_ptr_from_eid(WLAN_ELEMID_FRAGMENT,
add_ie, add_ie_len))
frag_ie_present = true;
}
@@ -2820,7 +2820,8 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
}
/* RSNX IE for SAE PWE derivation based on H2E */
if (wlan_get_ie_ptr_from_eid(WLAN_ELEMID_RSNXE, add_ie, add_ie_len)) {
if (add_ie &&
wlan_get_ie_ptr_from_eid(WLAN_ELEMID_RSNXE, add_ie, add_ie_len)) {
rsnx_ie = qdf_mem_malloc(WLAN_MAX_IE_LEN + 2);
if (!rsnx_ie)
goto end;