|
|
@@ -3880,6 +3880,7 @@ static void wma_mem_endianness_based_copy(
|
|
|
}
|
|
|
#endif
|
|
|
|
|
|
+#define RESERVE_BYTES 100
|
|
|
/**
|
|
|
* wma_mgmt_rx_process() - process management rx frame.
|
|
|
* @handle: wma handle
|
|
|
@@ -3926,8 +3927,29 @@ static int wma_mgmt_rx_process(void *handle, uint8_t *data,
|
|
|
mgmt_rx_params->pdev_id = 0;
|
|
|
mgmt_rx_params->rx_params = NULL;
|
|
|
|
|
|
- wbuf = qdf_nbuf_alloc(NULL, roundup(mgmt_rx_params->buf_len, 4),
|
|
|
- 0, 4, false);
|
|
|
+ /*
|
|
|
+ * Allocate the memory for this rx packet, add extra 100 bytes for:-
|
|
|
+ *
|
|
|
+ * 1. Filling the missing RSN capabilites by some APs, which fill the
|
|
|
+ * RSN IE length as extra 2 bytes but dont fill the IE data with
|
|
|
+ * capabilities, resulting in failure in unpack core due to length
|
|
|
+ * mismatch. Check sir_validate_and_rectify_ies for more info.
|
|
|
+ *
|
|
|
+ * 2. In the API wma_process_rmf_frame(), the driver trims the CCMP
|
|
|
+ * header by overwriting the IEEE header to memory occupied by CCMP
|
|
|
+ * header, but an overflow is possible if the memory allocated to
|
|
|
+ * frame is less than the sizeof(struct ieee80211_frame) +CCMP
|
|
|
+ * HEADER len, so allocating 100 bytes would solve this issue too.
|
|
|
+ *
|
|
|
+ * 3. CCMP header is pointing to orig_hdr +
|
|
|
+ * sizeof(struct ieee80211_frame) which could also result in OOB
|
|
|
+ * access, if the data len is less than
|
|
|
+ * sizeof(struct ieee80211_frame), allocating extra bytes would
|
|
|
+ * result in solving this issue too.
|
|
|
+ */
|
|
|
+ wbuf = qdf_nbuf_alloc(NULL, roundup(mgmt_rx_params->buf_len +
|
|
|
+ RESERVE_BYTES,
|
|
|
+ 4), 0, 4, false);
|
|
|
if (!wbuf) {
|
|
|
WMA_LOGE("%s: Failed to allocate wbuf for mgmt rx len(%u)",
|
|
|
__func__, mgmt_rx_params->buf_len);
|
gaurank kathpalia