ホーム エクスプローラ ヘルプ
サインイン
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
フォーク 0
ファイル 課題 0 プルリクエスト 0 Wiki
ソースを参照

qcacld-3.0: Handle null pointer dereference

In lim_send_assoc_req_mgmt_frame host allocates memory
for ie according to the add_ie_len, add a check
to verify if add_ie_len is non-zero before
API calls where add_ie is sent and used without
being verified.

Change-Id: I8856bb79ac15aeaf643ae8414ea6799aac199feb
CRs-Fixed: 3351656
Asutosh Mohapatra 2 年 前
5e8812a503
コミット
d93f04a203
1 ファイル変更8 行追加8 行削除
分割表示 差分情報を表示
  1. 8 8
      core/mac/src/pe/lim/lim_send_management_frames.c

+ 8 - 8
core/mac/src/pe/lim/lim_send_management_frames.c
ファイルの表示 

@@ -2753,7 +2753,7 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 
 					    &frm->he_6ghz_band_cap);
 
 	}
 
 
-	if (lim_is_session_eht_capable(pe_session)) {
 
+	if (add_ie_len && lim_is_session_eht_capable(pe_session)) {
 
 		populate_dot11f_eht_caps(mac_ctx, pe_session, &frm->eht_cap);
 
 		lim_strip_mlo_ie(mac_ctx, add_ie, &add_ie_len);
 
 	}
 
@@ -2852,13 +2852,13 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 
 	if (lim_is_fils_connection(pe_session)) {
 
 		populate_dot11f_fils_params(mac_ctx, frm, pe_session);
 
 		aes_block_size_len = AES_BLOCK_SIZE;
 
-		if (add_ie && wlan_get_ie_ptr_from_eid(WLAN_ELEMID_FRAGMENT,
 
-						       add_ie, add_ie_len))
 
+		if (add_ie_len && wlan_get_ie_ptr_from_eid(WLAN_ELEMID_FRAGMENT,
 
+							   add_ie, add_ie_len))
 
 			frag_ie_present = true;
 
 	}
 
 
 	/* Strip and append HLP container IE only if it is fragmented */
 
-	if (frag_ie_present &&
 
+	if (frag_ie_present && add_ie_len &&
 
 	    wlan_get_ext_ie_ptr_from_ext_id(SIR_FILS_HLP_OUI_TYPE,
 
 					    SIR_FILS_HLP_OUI_LEN, add_ie,
 
 					    add_ie_len)) {
 
@@ -2892,7 +2892,7 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 
 	}
 
 
 	/* RSNX IE for SAE PWE derivation based on H2E */
 
-	if (add_ie &&
 
+	if (add_ie_len &&
 
 	    wlan_get_ie_ptr_from_eid(WLAN_ELEMID_RSNXE, add_ie, add_ie_len)) {
 
 		rsnx_ie = qdf_mem_malloc(WLAN_MAX_IE_LEN + 2);
 
 		if (!rsnx_ie)
 
@@ -2908,7 +2908,7 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 
 		rsnx_ie_len = rsnx_ie[1] + 2;
 
 	}
 
 	/* MSCS ext ie */
 
-	if (add_ie &&
 
+	if (add_ie_len &&
 
 	    wlan_get_ext_ie_ptr_from_ext_id(MSCS_OUI_TYPE, MSCS_OUI_SIZE,
 
 					    add_ie, add_ie_len)) {
 
 		mscs_ext_ie = qdf_mem_malloc(WLAN_MAX_IE_LEN + 2);
 
@@ -2934,7 +2934,7 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 
 	 * TLVs with same attribute in a single IE.
 
 	 * Strip off the MBO IE from add_ie and append it at the end.
 
 	 */
 
-	if (add_ie &&
 
+	if (add_ie_len &&
 
 	    wlan_get_vendor_ie_ptr_from_oui(SIR_MAC_MBO_OUI,
 
 					    SIR_MAC_MBO_OUI_SIZE, add_ie,
 
 					    add_ie_len)) {
 
@@ -2975,7 +2975,7 @@ lim_send_assoc_req_mgmt_frame(struct mac_context *mac_ctx,
 
 	 * Append the IEs just before MBO IEs as MBO IEs have to be at the
 
 	 * end of the frame.
 
 	 */
 
-	if (add_ie &&
 
+	if (add_ie_len &&
 
 	    wlan_get_ie_ptr_from_eid(WLAN_ELEMID_VENDOR, add_ie, add_ie_len)) {
 
 		vendor_ies = qdf_mem_malloc(MAX_VENDOR_IES_LEN + 2);
 
 		if (vendor_ies) {