diff options
| author | Jingxiang Ge <jge@codeaurora.org> | 2018-12-14 15:04:21 +0800 |
|---|---|---|
| committer | Jingxiang Ge <jge@codeaurora.org> | 2018-12-14 15:05:06 +0800 |
| commit | 6b9fdabdc6eb663a9fc577be8a208f0e60d49a25 (patch) | |
| tree | b50ae91a159076dc0a4487682104468f74c016bb | |
| parent | c3ae3631dfbc7726fa7191f55d9140ffbcce4a1a (diff) | |
qcacld-2.0: Skip IE which has length less than the minimum valid IE length
QBSS IE uses min length of 4 bytes for version 1 and
min length of 5 bytes for version 2. Min length used
for IE is 5 bytes in driver which can cause WPA IE
parse failure if QBSS IE is 4 bytes resulting in failure
in fetching scan results due to security mismatch and
subsequently connection failure.
Fix is to skip the IE which has length less than the
minimum valid length.
Regression cause is I8e42fb7e9674845d152d2ec26a592e02a1b562ab.
Change-Id: I00fbffad221e2d9ecedcb87c9607ac8abd7c55b1
CRs-Fixed: 2367033
| -rw-r--r-- | CORE/MAC/src/include/dot11f.h | 2 | ||||
| -rw-r--r-- | CORE/SYS/legacy/src/utils/src/dot11f.c | 25 |
2 files changed, 16 insertions, 11 deletions
diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h index c2d5592d5f28..e6be54c2a589 100644 --- a/CORE/MAC/src/include/dot11f.h +++ b/CORE/MAC/src/include/dot11f.h @@ -32,7 +32,7 @@ * \brief Structures, function prototypes & definitions * for working with 802.11 Frames * This file was automatically generated by 'framesc' - * Fri Aug 31 18:54:55 2018 from the following file(s): + * Mon Dec 3 16:47:12 2018 from the following file(s): * * dot11f.frms * diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c index 37f8a7f5d52c..f721294c861d 100644 --- a/CORE/SYS/legacy/src/utils/src/dot11f.c +++ b/CORE/SYS/legacy/src/utils/src/dot11f.c @@ -30,7 +30,7 @@ * \brief Structures, functions & definitions for * working with 802.11 Frames * This file was automatically generated by 'framesc' - * Fri Aug 31 18:54:55 2018 from the following file(s): + * Mon Dec 3 16:47:12 2018 from the following file(s): * * dot11f.frms * @@ -22126,16 +22126,13 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx, if (pIe) { - if ((nBufRemaining < pIe->minSize - pIe->noui - 2U) || - (len < pIe->minSize - pIe->noui - 2U)) + if ((nBufRemaining < pIe->minSize - pIe->noui - 2U)) { - FRAMES_LOG4(pCtx, FRLOGW, FRFL("The IE %s must " + FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must " "be at least %d bytes in size, but " "there are only %d bytes remaining in " - "this frame or the IE reports a size " - "of %d bytes.\n"), - pIe->name, pIe->minSize, nBufRemaining, - (len + pIe->noui + 2U)); + "this frame.\n"), + pIe->name, pIe->minSize, nBufRemaining); FRAMES_DUMP(pCtx, FRLOG1, pBuf, nBuf); status |= DOT11F_INCOMPLETE_IE; FRAMES_DBG_BREAK(); @@ -22143,6 +22140,14 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx, } else { + if (len < pIe->minSize - pIe->noui - 2U) { + FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must " + "be at least %d bytes in size, but " + "there are only %d bytes in the IE\n"), + pIe->name, pIe->minSize, (len + pIe->noui + 2U)); + goto skip_ie; + } + if (len > pIe->maxSize - pIe->noui - 2U){ FRAMES_LOG1(pCtx, FRLOGW, FRFL("The IE %s reports " "an unexpectedly large size; it is presumably " @@ -22155,7 +22160,7 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx, countOffset = ( (0 != pIe->arraybound) * ( *(tANI_U16* )(pFrm + pIe->countOffset))); if (0 != pIe->arraybound && countOffset >= pIe->arraybound) { status |= DOT11F_DUPLICATE_IE; - goto skip_dup_ie; + goto skip_ie; } switch (pIe->sig) { @@ -22629,7 +22634,7 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx, status |= DOT11F_UNKNOWN_IES; } -skip_dup_ie: +skip_ie: pBufRemaining += len; if (len > nBufRemaining) |