diff options
| author | tinlin <tinlin@codeaurora.org> | 2018-08-02 10:31:37 +0800 |
|---|---|---|
| committer | tinlin <tinlin@codeaurora.org> | 2018-08-02 10:31:37 +0800 |
| commit | 095c3cf7cbbe3014ec1e6285f1a68c115fb8eddf (patch) | |
| tree | 3aa68ff258eb356a6d5fe7c808e0fe3eac6678e8 | |
| parent | 0ad2cd3334e1e7607262c33d7010a2131c5ac872 (diff) | |
qcacld-2.0: Allocate extra 100 bytes to add missing IE info
In the API sir_validate_and_rectify_ies, the driver rectifies
the RSN IE, if the AP hasnt filled the RSN capabilities in the
beacon/probe response, but has filled the length of IE as extra
2 bytes meant for the RSN capabilities.The driver tries to repair
these kind of frames and fills the last 2 bytes of RSN IE with
default RSN capabilities, to prevent the failure of unpacking
the IEs in unpack-core. But, the driver may write these default
RSN capabilities into some other allocated memory, because the
allocated memory is only the frame length, which would result
in OOB write.
Fix is to allocate some reserve bytes in the frame
for these type of issues.
Change-Id: I46c7301f3e40f84d2c68ec9ba38702baa6926306
CRs-Fixed: 2289522
| -rw-r--r-- | CORE/CLD_TXRX/TLSHIM/tl_shim.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/CORE/CLD_TXRX/TLSHIM/tl_shim.c b/CORE/CLD_TXRX/TLSHIM/tl_shim.c index af602958eb62..0edc137ee2a4 100644 --- a/CORE/CLD_TXRX/TLSHIM/tl_shim.c +++ b/CORE/CLD_TXRX/TLSHIM/tl_shim.c @@ -547,6 +547,7 @@ end: return should_drop; } +#define RESERVE_BYTES 100 static int tlshim_mgmt_rx_process(void *context, u_int8_t *data, u_int32_t data_len, bool saved_beacon, u_int32_t vdev_id) { @@ -658,9 +659,28 @@ static int tlshim_mgmt_rx_process(void *context, u_int8_t *data, */ rx_pkt->pkt_meta.roamCandidateInd = saved_beacon ? 1 : 0; rx_pkt->pkt_meta.sessionId = vdev_id; - /* Why not just use rx_event->hdr.buf_len? */ + /* + * Allocate the memory for this rx packet, add extra 100 bytes for:- + * + * 1. Filling the missing RSN capabilites by some APs, which fill the + * RSN IE length as extra 2 bytes but dont fill the IE data with + * capabilities, resulting in failure in unpack core due to length + * mismatch. Check sir_validate_and_rectify_ies for more info. + * + * 2. In the API wma_process_rmf_frame(), the driver trims the CCMP + * header by overwriting the IEEE header to memory occupied by CCMP + * header, but an overflow is possible if the memory allocated to + * frame is less than the sizeof(struct ieee80211_frame) +CCMP + * HEADER len, so allocating 100 bytes would solve this issue too. + * + * 3. CCMP header is pointing to orig_hdr + + * sizeof(struct ieee80211_frame) which could also result in OOB + * access, if the data len is less than + * sizeof(struct ieee80211_frame), allocating extra bytes would + * result in solving this issue too. + */ wbuf = adf_nbuf_alloc(NULL, - roundup(hdr->buf_len, 4), + roundup(hdr->buf_len + RESERVE_BYTES, 4), 0, 4, FALSE); if (!wbuf) { adf_os_spin_unlock_bh(&tl_shim->mgmt_lock); |