diff options
| author | Qun Zhang <qunz@codeaurora.org> | 2018-06-19 13:08:22 +0800 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-06-19 23:38:57 -0700 |
| commit | 8fef9e62528cdceb2965535a08822eaab879d8f3 (patch) | |
| tree | 1c9db6f72917ba1f592083d8fba91e869497bbb9 | |
| parent | bf6a8da3af24a1156de797abc461544881cb5529 (diff) | |
qcacld-2.0: Avoid integer underflow in dot11f_unpack functions
propagation from qcacld-3.0 to qcacld-2.0
In function dot11f_unpack functions length of buffer passed is
decremented as pointer advances in the buffer. Add a check for
integer underflow before decrementing the length.
qcacld-3.0 to CLD2.0 propagation of the following CRs:
2237141, 2231755, 2246426, 2150438
Change-Id: I4ed39d326855c2027ff0bc3cbe5c8981a2ae2aa1
CRs-Fixed: 2259649
| -rw-r--r-- | CORE/MAC/src/include/dot11f.h | 6 | ||||
| -rw-r--r-- | CORE/SYS/legacy/src/utils/src/dot11f.c | 2184 |
2 files changed, 2188 insertions, 2 deletions
diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h index 95f2eb4630de..eba56a508ac5 100644 --- a/CORE/MAC/src/include/dot11f.h +++ b/CORE/MAC/src/include/dot11f.h @@ -32,7 +32,7 @@ * \brief Structures, function prototypes & definitions * for working with 802.11 Frames * This file was automatically generated by 'framesc' - * Wed Jun 13 13:53:03 2018 from the following file(s): + * Wed Jun 20 14:32:20 2018 from the following file(s): * * dot11f.frms * @@ -51,6 +51,10 @@ typedef tANI_U32 tDOT11F_U64[2]; # pragma warning (disable: 4214) /* nonstandard extension used */ #endif /* Microsoft C/C++ bit field types other than int */ +#if !defined unlikely +#define unlikely(x) (x) +#endif + /* * Frames Return Codes: * diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c index 144c2d3ef627..6de2358e1a3a 100644 --- a/CORE/SYS/legacy/src/utils/src/dot11f.c +++ b/CORE/SYS/legacy/src/utils/src/dot11f.c @@ -30,7 +30,7 @@ * \brief Structures, functions & definitions for * working with 802.11 Frames * This file was automatically generated by 'framesc' - * Wed Jun 13 13:53:03 2018 from the following file(s): + * Wed Jun 20 14:32:20 2018 from the following file(s): * * dot11f.frms * @@ -1012,6 +1012,11 @@ tANI_U32 dot11fUnpackTlvAuthorizedMACs(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->mac, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1030,6 +1035,11 @@ tANI_U32 dot11fUnpackTlvVersion2(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 tl tANI_U32 status = DOT11F_PARSE_SUCCESS; tANI_U8 tmp8__; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp8__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -1052,6 +1062,11 @@ tANI_U32 dot11fUnpackTlvChannelList(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryString, pBuf, 3); pBuf += 3; tlvlen -= (tANI_U8)3; @@ -1081,9 +1096,19 @@ tANI_U32 dot11fUnpackTlvConfigurationTimeout(tpAniSirGlobal pCtx, tANI_U8 *pBuf, { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->GOConfigTimeout = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->CLConfigTimeout = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; @@ -1121,9 +1146,19 @@ tANI_U32 dot11fUnpackTlvExtendedListenTiming(tpAniSirGlobal pCtx, tANI_U8 *pBuf, { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->availibilityPeriod, pBuf, 0); pBuf += 2; tlvlen -= (tANI_U8)2; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->availibilityInterval, pBuf, 0); pBuf += 2; tlvlen -= (tANI_U8)2; @@ -1141,6 +1176,11 @@ tANI_U32 dot11fUnpackTlvIntendedP2PInterfaceAddress(tpAniSirGlobal pCtx, tANI_U8 { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PInterfaceAddress, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1158,12 +1198,27 @@ tANI_U32 dot11fUnpackTlvListenChannel(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryString, pBuf, 3); pBuf += 3; tlvlen -= (tANI_U8)3; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; @@ -1241,9 +1296,19 @@ tANI_U32 dot11fUnpackTlvNoticeOfAbsence(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->index = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->CTSWindowOppPS = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; @@ -1267,12 +1332,27 @@ tANI_U32 dot11fUnpackTlvOperatingChannel(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryString, pBuf, 3); pBuf += 3; tlvlen -= (tANI_U8)3; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; @@ -1287,9 +1367,19 @@ tANI_U32 dot11fUnpackTlvP2PCapability(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->deviceCapability = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->groupCapability = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; @@ -1304,6 +1394,11 @@ tANI_U32 dot11fUnpackTlvP2PDeviceId(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1323,12 +1418,27 @@ tANI_U32 dot11fUnpackTlvP2PDeviceInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->configMethod, pBuf, 0); pBuf += 2; tlvlen -= (tANI_U8)2; + if (unlikely(tlvlen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->primaryDeviceType, pBuf, 8); pBuf += 8; tlvlen -= (tANI_U8)8; @@ -1349,6 +1459,11 @@ tANI_U32 dot11fUnpackTlvP2PGroupBssid(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PGroupBssid, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1363,6 +1478,11 @@ tANI_U32 dot11fUnpackTlvP2PGroupId(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->deviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1405,12 +1525,27 @@ tANI_U32 dot11fUnpackTlvPrimaryDeviceType(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA tANI_U32 status = DOT11F_PARSE_SUCCESS; (void)pBuf; (void)tlvlen; /* Shutup the compiler */ pDst->present = 1; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->primary_category, pBuf, 1); pBuf += 2; tlvlen -= (tANI_U8)2; + if (unlikely(tlvlen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->oui, pBuf, 4); pBuf += 4; tlvlen -= (tANI_U8)4; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->sub_category, pBuf, 1); pBuf += 2; tlvlen -= (tANI_U8)2; @@ -1428,12 +1563,27 @@ tANI_U32 dot11fUnpackTlvRequestDeviceType(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->primary_category, pBuf, 1); pBuf += 2; tlvlen -= (tANI_U8)2; + if (unlikely(tlvlen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->oui, pBuf, 4); pBuf += 4; tlvlen -= (tANI_U8)4; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->sub_category, pBuf, 1); pBuf += 2; tlvlen -= (tANI_U8)2; @@ -1480,6 +1630,11 @@ tANI_U32 dot11fUnpackTlvUUID_E(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 tlvl { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->uuid, pBuf, 16); pBuf += 16; tlvlen -= (tANI_U8)16; @@ -1494,6 +1649,11 @@ tANI_U32 dot11fUnpackTlvUUID_R(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 tlvl { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->uuid, pBuf, 16); pBuf += 16; tlvlen -= (tANI_U8)16; @@ -1515,6 +1675,11 @@ tANI_U32 dot11fUnpackTlvVendorExtension(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->vendorId, pBuf, 3); pBuf += 3; tlvlen -= (tANI_U8)3; @@ -1536,6 +1701,11 @@ tANI_U32 dot11fUnpackTlvVersion(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 tlv tANI_U32 status = DOT11F_PARSE_SUCCESS; tANI_U8 tmp9__; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp9__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -1555,6 +1725,11 @@ tANI_U32 dot11fUnpackTlvP2PInterface(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U1 { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1574,6 +1749,11 @@ tANI_U32 dot11fUnpackIeCondensedCountryStr(tpAniSirGlobal pCtx, tANI_U8 *pBuf, t (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryStr, pBuf, 2); (void)pCtx; return status; @@ -1589,14 +1769,29 @@ tANI_U32 dot11fUnpackIeGTK(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp10__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->keyId = tmp10__ >> 0 & 0x3; pDst->reserved = tmp10__ >> 2 & 0x3feb; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->keyLength = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->RSC, pBuf, 8); pBuf += 8; ielen -= (tANI_U8)8; @@ -1620,15 +1815,35 @@ tANI_U32 dot11fUnpackIeIGTK(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->keyID, pBuf, 2); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->IPN, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->keyLength = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 24)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->key, pBuf, 24); (void)pCtx; return status; @@ -1643,6 +1858,11 @@ tANI_U32 dot11fUnpackIeMccChanInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 i (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; (void)pCtx; return status; @@ -1677,6 +1897,11 @@ tANI_U32 dot11fUnpackIeR1KH_ID(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->PMK_R1_ID, pBuf, 6); (void)pCtx; return status; @@ -1691,9 +1916,19 @@ tANI_U32 dot11fUnpackIeSub20Info(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->capability = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->csa_chanwidth = *pBuf; (void)pCtx; return status; @@ -1708,9 +1943,19 @@ tANI_U32 dot11fUnpackIeTSFInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->TsfOffset, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->BeaconIntvl, pBuf, 0); (void)pCtx; return status; @@ -1725,6 +1970,11 @@ tANI_U32 dot11fUnpackIeAPChannelReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -1748,6 +1998,11 @@ tANI_U32 dot11fUnpackIeBcnReportingDetail(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reportingDetail = *pBuf; (void)pCtx; return status; @@ -1782,9 +2037,19 @@ tANI_U32 dot11fUnpackIeBeaconReporting(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reportingCondition = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->threshold = *pBuf; (void)pCtx; return status; @@ -1799,6 +2064,11 @@ tANI_U32 dot11fUnpackIeMeasurementPilot(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurementPilot = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -1817,6 +2087,11 @@ tANI_U32 dot11fUnpackIeMultiBssid(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->maxBSSIDIndicator = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -1835,12 +2110,27 @@ tANI_U32 dot11fUnpackIeRICData(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->Identifier = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->resourceDescCount = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->statusCode, pBuf, 0); (void)pCtx; return status; @@ -1855,6 +2145,11 @@ tANI_U32 dot11fUnpackIeRICDescriptor(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->resourceType = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -1878,6 +2173,11 @@ tANI_U32 dot11fUnpackIeRRMEnabledCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp11__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1889,6 +2189,11 @@ tANI_U32 dot11fUnpackIeRRMEnabledCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->BeaconActive = tmp11__ >> 5 & 0x1; pDst->BeaconTable = tmp11__ >> 6 & 0x1; pDst->BeaconRepCond = tmp11__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp12__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1900,6 +2205,11 @@ tANI_U32 dot11fUnpackIeRRMEnabledCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->LCIAzimuth = tmp12__ >> 5 & 0x1; pDst->TCMCapability = tmp12__ >> 6 & 0x1; pDst->triggeredTCM = tmp12__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp13__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1907,6 +2217,11 @@ tANI_U32 dot11fUnpackIeRRMEnabledCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->RRMMIBEnabled = tmp13__ >> 1 & 0x1; pDst->operatingChanMax = tmp13__ >> 2 & 0x7; pDst->nonOperatinChanMax = tmp13__ >> 5 & 0x7; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp14__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1916,6 +2231,11 @@ tANI_U32 dot11fUnpackIeRRMEnabledCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->RCPIMeasurement = tmp14__ >> 5 & 0x1; pDst->RSNIMeasurement = tmp14__ >> 6 & 0x1; pDst->BssAvgAccessDelay = tmp14__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp15__ = *pBuf; pDst->BSSAvailAdmission = tmp15__ >> 0 & 0x1; pDst->AntennaInformation = tmp15__ >> 1 & 0x1; @@ -1975,6 +2295,11 @@ tANI_U32 dot11fUnpackIeSchedule(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp16__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -1982,15 +2307,35 @@ tANI_U32 dot11fUnpackIeSchedule(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele pDst->tsid = tmp16__ >> 1 & 0xf; pDst->direction = tmp16__ >> 5 & 0x3; pDst->reserved = tmp16__ >> 7 & 0x1ff; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_interval, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_service_dur, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->spec_interval, pBuf, 0); (void)pCtx; return status; @@ -2005,70 +2350,165 @@ tANI_U32 dot11fUnpackIeTCLAS(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->user_priority = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_mask = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; switch (pDst->classifier_type) { case 0: + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.source, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.dest, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.EthParams.type, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; switch (pDst->info.IpParams.version) { case 4: + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.source, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.dest, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.src_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.DSCP = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.proto = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.reserved = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; break; case 6: + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.source, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.dest, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.src_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.flow_label, pBuf, 3); pBuf += 3; ielen -= (tANI_U8)3; @@ -2076,6 +2516,11 @@ tANI_U32 dot11fUnpackIeTCLAS(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, } break; case 2: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.Params8021dq.tag_type, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -2097,6 +2542,11 @@ tANI_U32 dot11fUnpackIeTSDelay(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay, pBuf, 0); (void)pCtx; return status; @@ -2114,6 +2564,11 @@ tANI_U32 dot11fUnpackIeTSPEC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp17__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2125,55 +2580,135 @@ tANI_U32 dot11fUnpackIeTSPEC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->psb = tmp17__ >> 10 & 0x1; pDst->user_priority = tmp17__ >> 11 & 0x7; pDst->tsinfo_ack_pol = tmp17__ >> 14 & 0x3; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp18__ = *pBuf; pBuf += 1; ielen -= 1; pDst->schedule = tmp18__ >> 0 & 0x1; pDst->unused = tmp18__ >> 1 & 0x7f; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp19__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->size = tmp19__ >> 0 & 0x7fff; pDst->fixed = tmp19__ >> 15 & 0x1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_msdu_size, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_service_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->max_service_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->inactivity_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->suspension_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->mean_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->peak_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->burst_size, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay_bound, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_phy_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->surplus_bw_allowance, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->medium_time, pBuf, 0); (void)pCtx; return status; @@ -2191,6 +2726,11 @@ tANI_U32 dot11fUnpackIeVHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &tmp20__, pBuf, 0); pBuf += 4; ielen -= 4; @@ -2214,17 +2754,37 @@ tANI_U32 dot11fUnpackIeVHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen pDst->rxAntPattern = tmp20__ >> 28 & 0x1; pDst->txAntPattern = tmp20__ >> 29 & 0x1; pDst->reserved1 = tmp20__ >> 30 & 0x3; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->rxMCSMap, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp21__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->rxHighSupDataRate = tmp21__ >> 0 & 0x1fff; pDst->reserved2 = tmp21__ >> 13 & 0x7; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->txMCSMap, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp22__, pBuf, 0); pDst->txSupDataRate = tmp22__ >> 0 & 0x1fff; pDst->reserved3 = tmp22__ >> 13 & 0x7; @@ -2241,15 +2801,35 @@ tANI_U32 dot11fUnpackIeVHTOperation(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chanWidth = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chanCenterFreqSeg1 = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chanCenterFreqSeg2 = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->basicMCSSet, pBuf, 0); (void)pCtx; return status; @@ -2265,6 +2845,11 @@ tANI_U32 dot11fUnpackIeWMMSchedule(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 i (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2273,6 +2858,11 @@ tANI_U32 dot11fUnpackIeWMMSchedule(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 i pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp23__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2280,15 +2870,35 @@ tANI_U32 dot11fUnpackIeWMMSchedule(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 i pDst->tsid = tmp23__ >> 1 & 0xf; pDst->direction = tmp23__ >> 5 & 0x3; pDst->reserved = tmp23__ >> 7 & 0x1ff; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_interval, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_service_dur, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->spec_interval, pBuf, 0); (void)pCtx; return status; @@ -2303,6 +2913,11 @@ tANI_U32 dot11fUnpackIeWMMTCLAS(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2311,70 +2926,165 @@ tANI_U32 dot11fUnpackIeWMMTCLAS(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->user_priority = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_mask = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; switch (pDst->classifier_type) { case 0: + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.source, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.dest, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.EthParams.type, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; switch (pDst->info.IpParams.version) { case 4: + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.source, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.dest, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.src_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.DSCP = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.proto = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.reserved = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; break; case 6: + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.source, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.dest, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.src_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.flow_label, pBuf, 3); pBuf += 3; ielen -= (tANI_U8)3; @@ -2382,6 +3092,11 @@ tANI_U32 dot11fUnpackIeWMMTCLAS(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele } break; case 2: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.Params8021dq.tag_type, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -2400,6 +3115,11 @@ tANI_U32 dot11fUnpackIeWMMTCLASPROC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2408,6 +3128,11 @@ tANI_U32 dot11fUnpackIeWMMTCLASPROC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->processing = *pBuf; (void)pCtx; return status; @@ -2422,6 +3147,11 @@ tANI_U32 dot11fUnpackIeWMMTSDelay(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2430,6 +3160,11 @@ tANI_U32 dot11fUnpackIeWMMTSDelay(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay, pBuf, 0); (void)pCtx; return status; @@ -2447,6 +3182,11 @@ tANI_U32 dot11fUnpackIeWMMTSPEC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2455,6 +3195,11 @@ tANI_U32 dot11fUnpackIeWMMTSPEC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp24__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2466,55 +3211,135 @@ tANI_U32 dot11fUnpackIeWMMTSPEC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele pDst->psb = tmp24__ >> 10 & 0x1; pDst->user_priority = tmp24__ >> 11 & 0x7; pDst->tsinfo_ack_pol = tmp24__ >> 14 & 0x3; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp25__ = *pBuf; pBuf += 1; ielen -= 1; pDst->tsinfo_rsvd = tmp25__ >> 0 & 0x7f; pDst->burst_size_defn = tmp25__ >> 7 & 0x1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp26__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->size = tmp26__ >> 0 & 0x7fff; pDst->fixed = tmp26__ >> 15 & 0x1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_msdu_size, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_service_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->max_service_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->inactivity_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->suspension_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->mean_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->peak_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->burst_size, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay_bound, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_phy_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->surplus_bw_allowance, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->medium_time, pBuf, 0); (void)pCtx; return status; @@ -2529,12 +3354,27 @@ tANI_U32 dot11fUnpackIeWiderBWChanSwitchAnn(tpAniSirGlobal pCtx, tANI_U8 *pBuf, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newChanWidth = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newCenterChanFreq0 = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newCenterChanFreq1 = *pBuf; (void)pCtx; return status; @@ -2569,6 +3409,11 @@ tANI_U32 dot11fUnpackIeAID(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->assocId, pBuf, 0); (void)pCtx; return status; @@ -2583,15 +3428,35 @@ tANI_U32 dot11fUnpackIeCFParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->cfp_count = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->cfp_period = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->cfp_maxduration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->cfp_durremaining, pBuf, 0); (void)pCtx; return status; @@ -2626,12 +3491,27 @@ tANI_U32 dot11fUnpackIeChanSwitchAnn(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switchMode = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newChannel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switchCount = *pBuf; (void)pCtx; return status; @@ -2676,6 +3556,11 @@ tANI_U32 dot11fUnpackIeCountry(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->country, pBuf, 3); pBuf += 3; ielen -= (tANI_U8)3; @@ -2718,12 +3603,27 @@ tANI_U32 dot11fUnpackIeEDCAParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->qos = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reserved = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp27__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2731,14 +3631,29 @@ tANI_U32 dot11fUnpackIeEDCAParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->acbe_acm = tmp27__ >> 4 & 0x1; pDst->acbe_aci = tmp27__ >> 5 & 0x3; pDst->unused1 = tmp27__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp28__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbe_acwmin = tmp28__ >> 0 & 0xf; pDst->acbe_acwmax = tmp28__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbe_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp29__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2746,14 +3661,29 @@ tANI_U32 dot11fUnpackIeEDCAParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->acbk_acm = tmp29__ >> 4 & 0x1; pDst->acbk_aci = tmp29__ >> 5 & 0x3; pDst->unused2 = tmp29__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp30__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbk_acwmin = tmp30__ >> 0 & 0xf; pDst->acbk_acwmax = tmp30__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbk_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp31__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2761,14 +3691,29 @@ tANI_U32 dot11fUnpackIeEDCAParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->acvi_acm = tmp31__ >> 4 & 0x1; pDst->acvi_aci = tmp31__ >> 5 & 0x3; pDst->unused3 = tmp31__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp32__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvi_acwmin = tmp32__ >> 0 & 0xf; pDst->acvi_acwmax = tmp32__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvi_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp33__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2776,11 +3721,21 @@ tANI_U32 dot11fUnpackIeEDCAParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->acvo_acm = tmp33__ >> 4 & 0x1; pDst->acvo_aci = tmp33__ >> 5 & 0x3; pDst->unused4 = tmp33__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp34__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvo_acwmin = tmp34__ >> 0 & 0xf; pDst->acvo_acwmax = tmp34__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvo_txoplimit, pBuf, 0); (void)pCtx; return status; @@ -2796,6 +3751,11 @@ tANI_U32 dot11fUnpackIeERPInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp35__ = *pBuf; pDst->non_erp_present = tmp35__ >> 0 & 0x1; pDst->use_prot = tmp35__ >> 1 & 0x1; @@ -2835,9 +3795,19 @@ tANI_U32 dot11fUnpackIeESERadMgmtCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->mgmt_state = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp36__ = *pBuf; pDst->mbssid_mask = tmp36__ >> 0 & 0x7; pDst->reserved = tmp36__ >> 3 & 0x1f; @@ -2854,12 +3824,27 @@ tANI_U32 dot11fUnpackIeESETrafStrmMet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tsid = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->state = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->msmt_interval, pBuf, 0); (void)pCtx; return status; @@ -2874,6 +3859,11 @@ tANI_U32 dot11fUnpackIeESETrafStrmRateSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tsid = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2897,9 +3887,19 @@ tANI_U32 dot11fUnpackIeESETxmitPower(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->power_limit = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reserved = *pBuf; (void)pCtx; return status; @@ -2914,6 +3914,11 @@ tANI_U32 dot11fUnpackIeESEVersion(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; (void)pCtx; return status; @@ -2981,15 +3986,35 @@ tANI_U32 dot11fUnpackIeFHParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->dwell_time, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->hop_set = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->hop_pattern = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->hop_index = *pBuf; (void)pCtx; return status; @@ -3004,9 +4029,19 @@ tANI_U32 dot11fUnpackIeFHParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->radix = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->nchannels = *pBuf; (void)pCtx; return status; @@ -3021,15 +4056,35 @@ tANI_U32 dot11fUnpackIeFHPattTable(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 i (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->flag = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->nsets = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->modulus = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->offset = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -3066,17 +4121,37 @@ tANI_U32 dot11fUnpackIeFTInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp37__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->reserved = tmp37__ >> 0 & 0xff; pDst->IECount = tmp37__ >> 8 & 0xff; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->MIC, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 32)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->Anonce, pBuf, 32); pBuf += 32; ielen -= (tANI_U8)32; + if (unlikely(ielen < 32)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->Snonce, pBuf, 32); pBuf += 32; ielen -= (tANI_U8)32; @@ -3101,6 +4176,11 @@ tANI_U32 dot11fUnpackIeHT2040BSSCoexistence(tpAniSirGlobal pCtx, tANI_U8 *pBuf, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp38__ = *pBuf; pDst->infoRequest = tmp38__ >> 0 & 0x1; pDst->fortyMHzIntolerant = tmp38__ >> 1 & 0x1; @@ -3121,6 +4201,11 @@ tANI_U32 dot11fUnpackIeHT2040BSSIntolerantReport(tpAniSirGlobal pCtx, tANI_U8 *p (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->operatingClass = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -3149,6 +4234,11 @@ tANI_U32 dot11fUnpackIeHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp39__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3166,15 +4256,30 @@ tANI_U32 dot11fUnpackIeHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->psmp = tmp39__ >> 13 & 0x1; pDst->stbcControlFrame = tmp39__ >> 14 & 0x1; pDst->lsigTXOPProtection = tmp39__ >> 15 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp40__ = *pBuf; pBuf += 1; ielen -= 1; pDst->maxRxAMPDUFactor = tmp40__ >> 0 & 0x3; pDst->mpduDensity = tmp40__ >> 2 & 0x7; pDst->reserved1 = tmp40__ >> 5 & 0x7; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->supportedMCSSet, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp41__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3183,6 +4288,11 @@ tANI_U32 dot11fUnpackIeHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->reserved2 = tmp41__ >> 3 & 0x1f; pDst->mcsFeedback = tmp41__ >> 8 & 0x3; pDst->reserved3 = tmp41__ >> 10 & 0x3f; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &tmp42__, pBuf, 0); pBuf += 4; ielen -= 4; @@ -3202,6 +4312,11 @@ tANI_U32 dot11fUnpackIeHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->uncompressedSteeringMatrixBFAntennae = tmp42__ >> 21 & 0x3; pDst->compressedSteeringMatrixBFAntennae = tmp42__ >> 23 & 0x3; pDst->reserved4 = tmp42__ >> 25 & 0x7f; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp43__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3236,9 +4351,19 @@ tANI_U32 dot11fUnpackIeHTInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->primaryChannel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp44__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3247,6 +4372,11 @@ tANI_U32 dot11fUnpackIeHTInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->rifsMode = tmp44__ >> 3 & 0x1; pDst->controlledAccessOnly = tmp44__ >> 4 & 0x1; pDst->serviceIntervalGranularity = tmp44__ >> 5 & 0x7; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp45__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3255,6 +4385,11 @@ tANI_U32 dot11fUnpackIeHTInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->transmitBurstLimit = tmp45__ >> 3 & 0x1; pDst->obssNonHTStaPresent = tmp45__ >> 4 & 0x1; pDst->reserved = tmp45__ >> 5 & 0x7ff; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp46__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3265,6 +4400,11 @@ tANI_U32 dot11fUnpackIeHTInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->pcoActive = tmp46__ >> 10 & 0x1; pDst->pcoPhase = tmp46__ >> 11 & 0x1; pDst->reserved2 = tmp46__ >> 12 & 0xf; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->basicMCSSet, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; @@ -3288,6 +4428,11 @@ tANI_U32 dot11fUnpackIeIBSSParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->atim, pBuf, 0); (void)pCtx; return status; @@ -3302,12 +4447,27 @@ tANI_U32 dot11fUnpackIeLinkIdentifier(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->bssid, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->InitStaAddr, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->RespStaAddr, pBuf, 6); (void)pCtx; return status; @@ -3334,9 +4494,19 @@ tANI_U32 dot11fUnpackIeMeasurementReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->token = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp47__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3344,6 +4514,11 @@ tANI_U32 dot11fUnpackIeMeasurementReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN pDst->incapable = tmp47__ >> 1 & 0x1; pDst->refused = tmp47__ >> 2 & 0x1; pDst->unused = tmp47__ >> 3 & 0x1f; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -3356,15 +4531,35 @@ tANI_U32 dot11fUnpackIeMeasurementReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN switch (pDst->type) { case 0: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Basic.channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.Basic.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.Basic.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp48__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3376,84 +4571,209 @@ tANI_U32 dot11fUnpackIeMeasurementReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN pDst->report.Basic.unused = tmp48__ >> 5 & 0x7; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.CCA.channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.CCA.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.CCA.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.CCA.cca_busy_fraction = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; break; case 2: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.RPIHistogram.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.RPIHistogram.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi0_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi1_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi2_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi3_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi4_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi5_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi6_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi7_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; break; case 5: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.regClass = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.Beacon.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.Beacon.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp49__ = *pBuf; pBuf += 1; ielen -= 1; pDst->report.Beacon.condensed_PHY = tmp49__ >> 0 & 0x7f; pDst->report.Beacon.reported_frame_type = tmp49__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.RCPI = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.RSNI = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->report.Beacon.BSSID, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.antenna_id = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->report.Beacon.parent_TSF, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; @@ -3494,9 +4814,19 @@ tANI_U32 dot11fUnpackIeMeasurementRequest(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_token = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp50__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3506,60 +4836,140 @@ tANI_U32 dot11fUnpackIeMeasurementRequest(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA pDst->report = tmp50__ >> 3 & 0x1; pDst->durationMandatory = tmp50__ >> 4 & 0x1; pDst->unused = tmp50__ >> 5 & 0x7; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; switch (pDst->measurement_type) { case 0: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Basic.channel_no = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.Basic.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.Basic.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.CCA.channel_no = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.CCA.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.CCA.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 2: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.RPIHistogram.channel_no = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.RPIHistogram.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.RPIHistogram.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 5: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Beacon.regClass = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Beacon.channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.Beacon.randomization, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.Beacon.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Beacon.meas_mode = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.Beacon.BSSID, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; @@ -3586,9 +4996,19 @@ tANI_U32 dot11fUnpackIeMobilityDomain(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->MDID, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp51__ = *pBuf; pDst->overDSCap = tmp51__ >> 0 & 0x1; pDst->resourceReqCap = tmp51__ >> 1 & 0x1; @@ -3621,9 +5041,19 @@ tANI_U32 dot11fUnpackIeNeighborReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->bssid, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp52__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3634,6 +5064,11 @@ tANI_U32 dot11fUnpackIeNeighborReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U pDst->QosCap = tmp52__ >> 5 & 0x1; pDst->apsd = tmp52__ >> 6 & 0x1; pDst->rrm = tmp52__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp53__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3641,15 +5076,35 @@ tANI_U32 dot11fUnpackIeNeighborReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U pDst->ImmBA = tmp53__ >> 1 & 0x1; pDst->MobilityDomain = tmp53__ >> 2 & 0x1; pDst->reserved = tmp53__ >> 3 & 0x1f; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->reserved1, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->PhyType = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -3673,24 +5128,59 @@ tANI_U32 dot11fUnpackIeOBSSScanParameters(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanPassiveDwell, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanActiveDwell, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->bssChannelWidthTriggerScanInterval, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanPassiveTotalPerChannel, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanActiveTotalPerChannel, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->bssWidthChannelTransitionDelayFactor, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanActivityThreshold, pBuf, 0); (void)pCtx; return status; @@ -3706,6 +5196,11 @@ tANI_U32 dot11fUnpackIeOperatingMode(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp54__ = *pBuf; pDst->chanWidth = tmp54__ >> 0 & 0x3; pDst->reserved = tmp54__ >> 2 & 0x3; @@ -4137,9 +5632,19 @@ tANI_U32 dot11fUnpackIePTIControl(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tid = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->sequence_control, pBuf, 0); (void)pCtx; return status; @@ -4155,6 +5660,11 @@ tANI_U32 dot11fUnpackIePUBufferStatus(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp55__ = *pBuf; pDst->ac_bk_traffic_aval = tmp55__ >> 0 & 0x1; pDst->ac_be_traffic_aval = tmp55__ >> 1 & 0x1; @@ -4174,9 +5684,19 @@ tANI_U32 dot11fUnpackIePowerCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->minTxPower = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->maxTxPower = *pBuf; (void)pCtx; return status; @@ -4191,6 +5711,11 @@ tANI_U32 dot11fUnpackIePowerConstraints(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->localPowerConstraints = *pBuf; (void)pCtx; return status; @@ -4205,12 +5730,27 @@ tANI_U32 dot11fUnpackIeQBSSLoad(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->stacount, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chautil = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->avail, pBuf, 0); (void)pCtx; return status; @@ -4256,6 +5796,11 @@ tANI_U32 dot11fUnpackIeQOSCapsAp(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp56__ = *pBuf; pDst->count = tmp56__ >> 0 & 0xf; pDst->qack = tmp56__ >> 4 & 0x1; @@ -4276,6 +5821,11 @@ tANI_U32 dot11fUnpackIeQOSCapsStation(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp57__ = *pBuf; pDst->acvo_uapsd = tmp57__ >> 0 & 0x1; pDst->acvi_uapsd = tmp57__ >> 1 & 0x1; @@ -4317,15 +5867,35 @@ tANI_U32 dot11fUnpackIeQuiet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->count = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->period = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->offset, pBuf, 0); (void)pCtx; return status; @@ -4340,6 +5910,11 @@ tANI_U32 dot11fUnpackIeRCPIIE(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->rcpi = *pBuf; (void)pCtx; return status; @@ -4394,6 +5969,11 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -4402,6 +5982,11 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->gp_cipher_suite, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; @@ -4414,10 +5999,20 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->pwise_cipher_suite_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->pwise_cipher_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->pwise_cipher_suite_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4434,10 +6029,20 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->akm_suite_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->akm_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->akm_suite_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4453,6 +6058,11 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->RSN_Cap, pBuf, 2); pBuf += 2; ielen -= (tANI_U8)2; @@ -4464,10 +6074,20 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->pmkid_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->pmkid_count * 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->pmkid_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4482,6 +6102,11 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->gp_mgmt_cipher_suite, pBuf, 4); } (void)pCtx; @@ -4497,6 +6122,11 @@ tANI_U32 dot11fUnpackIeRSNIIE(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->rsni = *pBuf; (void)pCtx; return status; @@ -4599,12 +6229,27 @@ tANI_U32 dot11fUnpackIeTIM(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->dtim_count = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->dtim_period = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->bmpctl = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -4628,9 +6273,19 @@ tANI_U32 dot11fUnpackIeTPCReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tx_power = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->link_margin = *pBuf; (void)pCtx; return status; @@ -4658,12 +6313,27 @@ tANI_U32 dot11fUnpackIeTimeAdvertisement(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->timing_capabilities = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 10)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->time_value, pBuf, 10); pBuf += 10; ielen -= (tANI_U8)10; + if (unlikely(ielen < 5)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->time_error, pBuf, 5); (void)pCtx; return status; @@ -4678,9 +6348,19 @@ tANI_U32 dot11fUnpackIeTimeoutInterval(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->timeoutType = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->timeoutValue, pBuf, 0); (void)pCtx; return status; @@ -4695,18 +6375,43 @@ tANI_U32 dot11fUnpackIeVHTExtBssLoad(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->muMIMOCapStaCount = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->ssUnderUtil = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->FortyMHzUtil = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->EightyMHzUtil = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->OneSixtyMHzUtil = *pBuf; (void)pCtx; return status; @@ -4748,6 +6453,11 @@ tANI_U32 dot11fUnpackIeWAPI(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -4756,9 +6466,19 @@ tANI_U32 dot11fUnpackIeWAPI(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->akm_suite_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < pDst->akm_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->akm_suite_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4767,9 +6487,19 @@ tANI_U32 dot11fUnpackIeWAPI(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t DOT11F_MEMCPY(pCtx, pDst->akm_suites, pBuf, ( pDst->akm_suite_count * 4 ) ); pBuf += ( pDst->akm_suite_count * 4 ); ielen -= ( pDst->akm_suite_count * 4 ); + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->unicast_cipher_suite_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < pDst->unicast_cipher_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->unicast_cipher_suite_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4778,9 +6508,19 @@ tANI_U32 dot11fUnpackIeWAPI(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t DOT11F_MEMCPY(pCtx, pDst->unicast_cipher_suites, pBuf, ( pDst->unicast_cipher_suite_count * 4 ) ); pBuf += ( pDst->unicast_cipher_suite_count * 4 ); ielen -= ( pDst->unicast_cipher_suite_count * 4 ); + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->multicast_cipher_suite, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp58__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -4793,10 +6533,20 @@ tANI_U32 dot11fUnpackIeWAPI(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->bkid_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->bkid_count * 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->bkid_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4836,9 +6586,19 @@ tANI_U32 dot11fUnpackIeWFATPC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->txPower = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->linkMargin = *pBuf; (void)pCtx; return status; @@ -4874,6 +6634,11 @@ tANI_U32 dot11fUnpackIeWMMCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -4882,6 +6647,11 @@ tANI_U32 dot11fUnpackIeWMMCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp59__ = *pBuf; pDst->reserved = tmp59__ >> 0 & 0xf; pDst->qack = tmp59__ >> 4 & 0x1; @@ -4902,9 +6672,19 @@ tANI_U32 dot11fUnpackIeWMMInfoAp(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp60__ = *pBuf; pDst->param_set_count = tmp60__ >> 0 & 0xf; pDst->reserved = tmp60__ >> 4 & 0x7; @@ -4923,9 +6703,19 @@ tANI_U32 dot11fUnpackIeWMMInfoStation(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp61__ = *pBuf; pDst->acvo_uapsd = tmp61__ >> 0 & 0x1; pDst->acvi_uapsd = tmp61__ >> 1 & 0x1; @@ -4955,6 +6745,11 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -4963,12 +6758,27 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->qosInfo = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reserved2 = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp62__ = *pBuf; pBuf += 1; ielen -= 1; @@ -4976,14 +6786,29 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel pDst->acbe_acm = tmp62__ >> 4 & 0x1; pDst->acbe_aci = tmp62__ >> 5 & 0x3; pDst->unused1 = tmp62__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp63__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbe_acwmin = tmp63__ >> 0 & 0xf; pDst->acbe_acwmax = tmp63__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbe_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp64__ = *pBuf; pBuf += 1; ielen -= 1; @@ -4991,14 +6816,29 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel pDst->acbk_acm = tmp64__ >> 4 & 0x1; pDst->acbk_aci = tmp64__ >> 5 & 0x3; pDst->unused2 = tmp64__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp65__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbk_acwmin = tmp65__ >> 0 & 0xf; pDst->acbk_acwmax = tmp65__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbk_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp66__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5006,14 +6846,29 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel pDst->acvi_acm = tmp66__ >> 4 & 0x1; pDst->acvi_aci = tmp66__ >> 5 & 0x3; pDst->unused3 = tmp66__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp67__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvi_acwmin = tmp67__ >> 0 & 0xf; pDst->acvi_acwmax = tmp67__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvi_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp68__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5021,11 +6876,21 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel pDst->acvo_acm = tmp68__ >> 4 & 0x1; pDst->acvo_aci = tmp68__ >> 5 & 0x3; pDst->unused4 = tmp68__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp69__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvo_acwmin = tmp69__ >> 0 & 0xf; pDst->acvo_acwmax = tmp69__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvo_txoplimit, pBuf, 0); (void)pCtx; return status; @@ -5040,6 +6905,11 @@ tANI_U32 dot11fUnpackIeWPA(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -5058,6 +6928,11 @@ tANI_U32 dot11fUnpackIeWPA(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD else { pDst->multicast_cipher_present = 1U; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->multicast_cipher, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; @@ -5070,10 +6945,20 @@ tANI_U32 dot11fUnpackIeWPA(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->unicast_cipher_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->unicast_cipher_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->unicast_cipher_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5089,10 +6974,20 @@ tANI_U32 dot11fUnpackIeWPA(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->auth_suite_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->auth_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->auth_suite_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5107,6 +7002,11 @@ tANI_U32 dot11fUnpackIeWPA(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->caps, pBuf, 0); } (void)pCtx; @@ -5379,15 +7279,35 @@ tANI_U32 dot11fUnpackIeext_chan_switch_ann(tpAniSirGlobal pCtx, tANI_U8 *pBuf, t (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switch_mode = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->new_reg_class = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->new_channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switch_count = *pBuf; (void)pCtx; return status; @@ -5402,6 +7322,11 @@ tANI_U32 dot11fUnpackIefils_assoc_delay_info(tpAniSirGlobal pCtx, tANI_U8 *pBuf, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->assoc_delay_info = *pBuf; (void)pCtx; return status; @@ -5416,9 +7341,19 @@ tANI_U32 dot11fUnpackIefils_hlp_container(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->dest_mac, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->src_mac, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; @@ -5438,6 +7373,11 @@ tANI_U32 dot11fUnpackIefils_indication(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp70__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -5465,6 +7405,11 @@ tANI_U32 dot11fUnpackIefils_kde(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->key_rsc, pBuf, 8); pBuf += 8; ielen -= (tANI_U8)8; @@ -5498,6 +7443,11 @@ tANI_U32 dot11fUnpackIefils_nonce(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->nonce, pBuf, 16); (void)pCtx; return status; @@ -5512,6 +7462,11 @@ tANI_U32 dot11fUnpackIefils_public_key(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->key_type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -5530,6 +7485,11 @@ tANI_U32 dot11fUnpackIefils_session(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->session, pBuf, 8); (void)pCtx; return status; @@ -5560,6 +7520,11 @@ tANI_U32 dot11fUnpackIehs20vendor_ie(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp71__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5576,11 +7541,21 @@ tANI_U32 dot11fUnpackIehs20vendor_ie(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 switch (pDst->hs_id_present) { case 1: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->hs_id.pps_mo.pps_mo_id, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 2: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->hs_id.anqp_domain.anqp_domain_id, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -5600,6 +7575,11 @@ tANI_U32 dot11fUnpackIesec_chan_offset_ele(tpAniSirGlobal pCtx, tANI_U8 *pBuf, t (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->secondaryChannelOffset = *pBuf; (void)pCtx; return status; @@ -5624,9 +7604,19 @@ tANI_U32 dot11fUnpackIevendor2_ie(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->sub_type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -23647,6 +25637,9 @@ tANI_U32 dot11fPackTlvVersion2(tpAniSirGlobal pCtx, tmp80__ = 0U; tmp80__ |= ( pSrc->minor << 0 ); tmp80__ |= ( pSrc->major << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp80__; *pnConsumed += 1; pBuf += 1; @@ -24868,6 +26861,9 @@ tANI_U32 dot11fPackTlvVersion(tpAniSirGlobal pCtx, tmp81__ = 0U; tmp81__ |= ( pSrc->minor << 0 ); tmp81__ |= ( pSrc->major << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp81__; *pnConsumed += 1; pBuf += 1; @@ -25023,6 +27019,9 @@ tANI_U32 dot11fPackIeGTK(tpAniSirGlobal pCtx, tmp82__ = 0U; tmp82__ |= ( pSrc->keyId << 0 ); tmp82__ |= ( pSrc->reserved << 2 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp82__, 0); *pnConsumed += 2; pBuf += 2; @@ -25533,6 +27532,9 @@ tANI_U32 dot11fPackIeRRMEnabledCap(tpAniSirGlobal pCtx, tmp83__ |= ( pSrc->BeaconActive << 5 ); tmp83__ |= ( pSrc->BeaconTable << 6 ); tmp83__ |= ( pSrc->BeaconRepCond << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp83__; *pnConsumed += 1; pBuf += 1; @@ -25546,6 +27548,9 @@ tANI_U32 dot11fPackIeRRMEnabledCap(tpAniSirGlobal pCtx, tmp84__ |= ( pSrc->LCIAzimuth << 5 ); tmp84__ |= ( pSrc->TCMCapability << 6 ); tmp84__ |= ( pSrc->triggeredTCM << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp84__; *pnConsumed += 1; pBuf += 1; @@ -25555,6 +27560,9 @@ tANI_U32 dot11fPackIeRRMEnabledCap(tpAniSirGlobal pCtx, tmp85__ |= ( pSrc->RRMMIBEnabled << 1 ); tmp85__ |= ( pSrc->operatingChanMax << 2 ); tmp85__ |= ( pSrc->nonOperatinChanMax << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp85__; *pnConsumed += 1; pBuf += 1; @@ -25566,6 +27574,9 @@ tANI_U32 dot11fPackIeRRMEnabledCap(tpAniSirGlobal pCtx, tmp86__ |= ( pSrc->RCPIMeasurement << 5 ); tmp86__ |= ( pSrc->RSNIMeasurement << 6 ); tmp86__ |= ( pSrc->BssAvgAccessDelay << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp86__; *pnConsumed += 1; pBuf += 1; @@ -25576,6 +27587,9 @@ tANI_U32 dot11fPackIeRRMEnabledCap(tpAniSirGlobal pCtx, tmp87__ |= ( pSrc->fine_time_meas_rpt << 2 ); tmp87__ |= ( pSrc->lci_capability << 3 ); tmp87__ |= ( pSrc->reserved << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp87__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -25673,6 +27687,9 @@ tANI_U32 dot11fPackIeSchedule(tpAniSirGlobal pCtx, tmp88__ |= ( pSrc->tsid << 1 ); tmp88__ |= ( pSrc->direction << 5 ); tmp88__ |= ( pSrc->reserved << 7 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp88__, 0); *pnConsumed += 2; pBuf += 2; @@ -25893,6 +27910,9 @@ tANI_U32 dot11fPackIeTSPEC(tpAniSirGlobal pCtx, tmp89__ |= ( pSrc->psb << 10 ); tmp89__ |= ( pSrc->user_priority << 11 ); tmp89__ |= ( pSrc->tsinfo_ack_pol << 14 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp89__, 0); *pnConsumed += 2; pBuf += 2; @@ -25900,6 +27920,9 @@ tANI_U32 dot11fPackIeTSPEC(tpAniSirGlobal pCtx, tmp90__ = 0U; tmp90__ |= ( pSrc->schedule << 0 ); tmp90__ |= ( pSrc->unused << 1 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp90__; *pnConsumed += 1; pBuf += 1; @@ -25907,6 +27930,9 @@ tANI_U32 dot11fPackIeTSPEC(tpAniSirGlobal pCtx, tmp91__ = 0U; tmp91__ |= ( pSrc->size << 0 ); tmp91__ |= ( pSrc->fixed << 15 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp91__, 0); *pnConsumed += 2; pBuf += 2; @@ -26004,6 +28030,9 @@ tANI_U32 dot11fPackIeVHTCaps(tpAniSirGlobal pCtx, tmp92__ |= ( pSrc->rxAntPattern << 28 ); tmp92__ |= ( pSrc->txAntPattern << 29 ); tmp92__ |= ( pSrc->reserved1 << 30 ); + if (unlikely(nBuf < 4)) + return DOT11F_INCOMPLETE_IE; + frameshtonl(pCtx, pBuf, tmp92__, 0); *pnConsumed += 4; pBuf += 4; @@ -26014,6 +28043,9 @@ tANI_U32 dot11fPackIeVHTCaps(tpAniSirGlobal pCtx, tmp93__ = 0U; tmp93__ |= ( pSrc->rxHighSupDataRate << 0 ); tmp93__ |= ( pSrc->reserved2 << 13 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp93__, 0); *pnConsumed += 2; pBuf += 2; @@ -26024,6 +28056,9 @@ tANI_U32 dot11fPackIeVHTCaps(tpAniSirGlobal pCtx, tmp94__ = 0U; tmp94__ |= ( pSrc->txSupDataRate << 0 ); tmp94__ |= ( pSrc->reserved3 << 13 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp94__, 0); *pnConsumed += 2; // fieldsEndFlag = 1 @@ -26113,6 +28148,9 @@ tANI_U32 dot11fPackIeWMMSchedule(tpAniSirGlobal pCtx, tmp95__ |= ( pSrc->tsid << 1 ); tmp95__ |= ( pSrc->direction << 5 ); tmp95__ |= ( pSrc->reserved << 7 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp95__, 0); *pnConsumed += 2; pBuf += 2; @@ -26385,6 +28423,9 @@ tANI_U32 dot11fPackIeWMMTSPEC(tpAniSirGlobal pCtx, tmp96__ |= ( pSrc->psb << 10 ); tmp96__ |= ( pSrc->user_priority << 11 ); tmp96__ |= ( pSrc->tsinfo_ack_pol << 14 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp96__, 0); *pnConsumed += 2; pBuf += 2; @@ -26392,6 +28433,9 @@ tANI_U32 dot11fPackIeWMMTSPEC(tpAniSirGlobal pCtx, tmp97__ = 0U; tmp97__ |= ( pSrc->tsinfo_rsvd << 0 ); tmp97__ |= ( pSrc->burst_size_defn << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp97__; *pnConsumed += 1; pBuf += 1; @@ -26399,6 +28443,9 @@ tANI_U32 dot11fPackIeWMMTSPEC(tpAniSirGlobal pCtx, tmp98__ = 0U; tmp98__ |= ( pSrc->size << 0 ); tmp98__ |= ( pSrc->fixed << 15 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp98__, 0); *pnConsumed += 2; pBuf += 2; @@ -26796,6 +28843,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp99__ |= ( pSrc->acbe_acm << 4 ); tmp99__ |= ( pSrc->acbe_aci << 5 ); tmp99__ |= ( pSrc->unused1 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp99__; *pnConsumed += 1; pBuf += 1; @@ -26803,6 +28853,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp100__ = 0U; tmp100__ |= ( pSrc->acbe_acwmin << 0 ); tmp100__ |= ( pSrc->acbe_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp100__; *pnConsumed += 1; pBuf += 1; @@ -26815,6 +28868,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp101__ |= ( pSrc->acbk_acm << 4 ); tmp101__ |= ( pSrc->acbk_aci << 5 ); tmp101__ |= ( pSrc->unused2 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp101__; *pnConsumed += 1; pBuf += 1; @@ -26822,6 +28878,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp102__ = 0U; tmp102__ |= ( pSrc->acbk_acwmin << 0 ); tmp102__ |= ( pSrc->acbk_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp102__; *pnConsumed += 1; pBuf += 1; @@ -26834,6 +28893,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp103__ |= ( pSrc->acvi_acm << 4 ); tmp103__ |= ( pSrc->acvi_aci << 5 ); tmp103__ |= ( pSrc->unused3 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp103__; *pnConsumed += 1; pBuf += 1; @@ -26841,6 +28903,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp104__ = 0U; tmp104__ |= ( pSrc->acvi_acwmin << 0 ); tmp104__ |= ( pSrc->acvi_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp104__; *pnConsumed += 1; pBuf += 1; @@ -26853,6 +28918,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp105__ |= ( pSrc->acvo_acm << 4 ); tmp105__ |= ( pSrc->acvo_aci << 5 ); tmp105__ |= ( pSrc->unused4 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp105__; *pnConsumed += 1; pBuf += 1; @@ -26860,6 +28928,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp106__ = 0U; tmp106__ |= ( pSrc->acvo_acwmin << 0 ); tmp106__ |= ( pSrc->acvo_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp106__; *pnConsumed += 1; pBuf += 1; @@ -26900,6 +28971,9 @@ tANI_U32 dot11fPackIeERPInfo(tpAniSirGlobal pCtx, tmp107__ |= ( pSrc->use_prot << 1 ); tmp107__ |= ( pSrc->barker_preamble << 2 ); tmp107__ |= ( pSrc->unused << 3 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp107__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -26984,6 +29058,9 @@ tANI_U32 dot11fPackIeESERadMgmtCap(tpAniSirGlobal pCtx, tmp108__ = 0U; tmp108__ |= ( pSrc->mbssid_mask << 0 ); tmp108__ |= ( pSrc->reserved << 3 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp108__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -27359,6 +29436,9 @@ tANI_U32 dot11fPackIeFTInfo(tpAniSirGlobal pCtx, tmp109__ = 0U; tmp109__ |= ( pSrc->reserved << 0 ); tmp109__ |= ( pSrc->IECount << 8 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp109__, 0); *pnConsumed += 2; pBuf += 2; @@ -27414,6 +29494,9 @@ tANI_U32 dot11fPackIeHT2040BSSCoexistence(tpAniSirGlobal pCtx, tmp110__ |= ( pSrc->obssScanExemptionReq << 3 ); tmp110__ |= ( pSrc->obssScanExemptionGrant << 4 ); tmp110__ |= ( pSrc->unused << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp110__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -27498,6 +29581,9 @@ tANI_U32 dot11fPackIeHTCaps(tpAniSirGlobal pCtx, tmp111__ |= ( pSrc->psmp << 13 ); tmp111__ |= ( pSrc->stbcControlFrame << 14 ); tmp111__ |= ( pSrc->lsigTXOPProtection << 15 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp111__, 0); *pnConsumed += 2; pBuf += 2; @@ -27506,6 +29592,9 @@ tANI_U32 dot11fPackIeHTCaps(tpAniSirGlobal pCtx, tmp112__ |= ( pSrc->maxRxAMPDUFactor << 0 ); tmp112__ |= ( pSrc->mpduDensity << 2 ); tmp112__ |= ( pSrc->reserved1 << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp112__; *pnConsumed += 1; pBuf += 1; @@ -27519,6 +29608,9 @@ tANI_U32 dot11fPackIeHTCaps(tpAniSirGlobal pCtx, tmp113__ |= ( pSrc->reserved2 << 3 ); tmp113__ |= ( pSrc->mcsFeedback << 8 ); tmp113__ |= ( pSrc->reserved3 << 10 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp113__, 0); *pnConsumed += 2; pBuf += 2; @@ -27540,6 +29632,9 @@ tANI_U32 dot11fPackIeHTCaps(tpAniSirGlobal pCtx, tmp114__ |= ( pSrc->uncompressedSteeringMatrixBFAntennae << 21 ); tmp114__ |= ( pSrc->compressedSteeringMatrixBFAntennae << 23 ); tmp114__ |= ( pSrc->reserved4 << 25 ); + if (unlikely(nBuf < 4)) + return DOT11F_INCOMPLETE_IE; + frameshtonl(pCtx, pBuf, tmp114__, 0); *pnConsumed += 4; pBuf += 4; @@ -27553,6 +29648,9 @@ tANI_U32 dot11fPackIeHTCaps(tpAniSirGlobal pCtx, tmp115__ |= ( pSrc->rxAS << 5 ); tmp115__ |= ( pSrc->txSoundingPPDUs << 6 ); tmp115__ |= ( pSrc->reserved5 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp115__; *pnConsumed += 1; pBuf += 1; @@ -27599,6 +29697,9 @@ tANI_U32 dot11fPackIeHTInfo(tpAniSirGlobal pCtx, tmp116__ |= ( pSrc->rifsMode << 3 ); tmp116__ |= ( pSrc->controlledAccessOnly << 4 ); tmp116__ |= ( pSrc->serviceIntervalGranularity << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp116__; *pnConsumed += 1; pBuf += 1; @@ -27609,6 +29710,9 @@ tANI_U32 dot11fPackIeHTInfo(tpAniSirGlobal pCtx, tmp117__ |= ( pSrc->transmitBurstLimit << 3 ); tmp117__ |= ( pSrc->obssNonHTStaPresent << 4 ); tmp117__ |= ( pSrc->reserved << 5 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp117__, 0); *pnConsumed += 2; pBuf += 2; @@ -27621,6 +29725,9 @@ tANI_U32 dot11fPackIeHTInfo(tpAniSirGlobal pCtx, tmp118__ |= ( pSrc->pcoActive << 10 ); tmp118__ |= ( pSrc->pcoPhase << 11 ); tmp118__ |= ( pSrc->reserved2 << 12 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp118__, 0); *pnConsumed += 2; pBuf += 2; @@ -27737,6 +29844,9 @@ tANI_U32 dot11fPackIeMeasurementReport(tpAniSirGlobal pCtx, tmp119__ |= ( pSrc->incapable << 1 ); tmp119__ |= ( pSrc->refused << 2 ); tmp119__ |= ( pSrc->unused << 3 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp119__; *pnConsumed += 1; pBuf += 1; @@ -27764,6 +29874,9 @@ tANI_U32 dot11fPackIeMeasurementReport(tpAniSirGlobal pCtx, tmp120__ |= ( pSrc->report.Basic.rader << 3 ); tmp120__ |= ( pSrc->report.Basic.unmeasured << 4 ); tmp120__ |= ( pSrc->report.Basic.unused << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp120__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -27834,6 +29947,9 @@ tANI_U32 dot11fPackIeMeasurementReport(tpAniSirGlobal pCtx, tmp121__ = 0U; tmp121__ |= ( pSrc->report.Beacon.condensed_PHY << 0 ); tmp121__ |= ( pSrc->report.Beacon.reported_frame_type << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp121__; *pnConsumed += 1; pBuf += 1; @@ -27904,6 +30020,9 @@ tANI_U32 dot11fPackIeMeasurementRequest(tpAniSirGlobal pCtx, tmp122__ |= ( pSrc->report << 3 ); tmp122__ |= ( pSrc->durationMandatory << 4 ); tmp122__ |= ( pSrc->unused << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp122__; *pnConsumed += 1; pBuf += 1; @@ -28009,6 +30128,9 @@ tANI_U32 dot11fPackIeMobilityDomain(tpAniSirGlobal pCtx, tmp123__ |= ( pSrc->overDSCap << 0 ); tmp123__ |= ( pSrc->resourceReqCap << 1 ); tmp123__ |= ( pSrc->reserved << 2 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp123__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -28055,6 +30177,9 @@ tANI_U32 dot11fPackIeNeighborReport(tpAniSirGlobal pCtx, tmp124__ |= ( pSrc->QosCap << 5 ); tmp124__ |= ( pSrc->apsd << 6 ); tmp124__ |= ( pSrc->rrm << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp124__; *pnConsumed += 1; pBuf += 1; @@ -28064,6 +30189,9 @@ tANI_U32 dot11fPackIeNeighborReport(tpAniSirGlobal pCtx, tmp125__ |= ( pSrc->ImmBA << 1 ); tmp125__ |= ( pSrc->MobilityDomain << 2 ); tmp125__ |= ( pSrc->reserved << 3 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp125__; *pnConsumed += 1; pBuf += 1; @@ -28168,6 +30296,9 @@ tANI_U32 dot11fPackIeOperatingMode(tpAniSirGlobal pCtx, tmp126__ |= ( pSrc->reserved << 2 ); tmp126__ |= ( pSrc->rxNSS << 4 ); tmp126__ |= ( pSrc->rxNSSType << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp126__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -29137,6 +31268,9 @@ tANI_U32 dot11fPackIePUBufferStatus(tpAniSirGlobal pCtx, tmp127__ |= ( pSrc->ac_vi_traffic_aval << 2 ); tmp127__ |= ( pSrc->ac_vo_traffic_aval << 3 ); tmp127__ |= ( pSrc->reserved << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp127__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -29316,6 +31450,9 @@ tANI_U32 dot11fPackIeQOSCapsAp(tpAniSirGlobal pCtx, tmp128__ |= ( pSrc->qreq << 5 ); tmp128__ |= ( pSrc->txopreq << 6 ); tmp128__ |= ( pSrc->reserved << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp128__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -29356,6 +31493,9 @@ tANI_U32 dot11fPackIeQOSCapsStation(tpAniSirGlobal pCtx, tmp129__ |= ( pSrc->qack << 4 ); tmp129__ |= ( pSrc->max_sp_length << 5 ); tmp129__ |= ( pSrc->more_data_ack << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp129__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -30034,6 +32174,9 @@ tANI_U32 dot11fPackIeWAPI(tpAniSirGlobal pCtx, tmp130__ = 0U; tmp130__ |= ( pSrc->preauth << 0 ); tmp130__ |= ( pSrc->reserved << 1 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp130__, 0); *pnConsumed += 2; pBuf += 2; @@ -30205,6 +32348,9 @@ tANI_U32 dot11fPackIeWMMCaps(tpAniSirGlobal pCtx, tmp131__ |= ( pSrc->queue_request << 5 ); tmp131__ |= ( pSrc->txop_request << 6 ); tmp131__ |= ( pSrc->more_ack << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp131__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -30254,6 +32400,9 @@ tANI_U32 dot11fPackIeWMMInfoAp(tpAniSirGlobal pCtx, tmp132__ |= ( pSrc->param_set_count << 0 ); tmp132__ |= ( pSrc->reserved << 4 ); tmp132__ |= ( pSrc->uapsd << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp132__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -30307,6 +32456,9 @@ tANI_U32 dot11fPackIeWMMInfoStation(tpAniSirGlobal pCtx, tmp133__ |= ( pSrc->reserved1 << 4 ); tmp133__ |= ( pSrc->max_sp_length << 5 ); tmp133__ |= ( pSrc->reserved2 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp133__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -30370,6 +32522,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp134__ |= ( pSrc->acbe_acm << 4 ); tmp134__ |= ( pSrc->acbe_aci << 5 ); tmp134__ |= ( pSrc->unused1 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp134__; *pnConsumed += 1; pBuf += 1; @@ -30377,6 +32532,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp135__ = 0U; tmp135__ |= ( pSrc->acbe_acwmin << 0 ); tmp135__ |= ( pSrc->acbe_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp135__; *pnConsumed += 1; pBuf += 1; @@ -30389,6 +32547,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp136__ |= ( pSrc->acbk_acm << 4 ); tmp136__ |= ( pSrc->acbk_aci << 5 ); tmp136__ |= ( pSrc->unused2 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp136__; *pnConsumed += 1; pBuf += 1; @@ -30396,6 +32557,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp137__ = 0U; tmp137__ |= ( pSrc->acbk_acwmin << 0 ); tmp137__ |= ( pSrc->acbk_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp137__; *pnConsumed += 1; pBuf += 1; @@ -30408,6 +32572,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp138__ |= ( pSrc->acvi_acm << 4 ); tmp138__ |= ( pSrc->acvi_aci << 5 ); tmp138__ |= ( pSrc->unused3 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp138__; *pnConsumed += 1; pBuf += 1; @@ -30415,6 +32582,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp139__ = 0U; tmp139__ |= ( pSrc->acvi_acwmin << 0 ); tmp139__ |= ( pSrc->acvi_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp139__; *pnConsumed += 1; pBuf += 1; @@ -30427,6 +32597,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp140__ |= ( pSrc->acvo_acm << 4 ); tmp140__ |= ( pSrc->acvo_aci << 5 ); tmp140__ |= ( pSrc->unused4 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp140__; *pnConsumed += 1; pBuf += 1; @@ -30434,6 +32607,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp141__ = 0U; tmp141__ |= ( pSrc->acvo_acwmin << 0 ); tmp141__ |= ( pSrc->acvo_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp141__; *pnConsumed += 1; pBuf += 1; @@ -31078,6 +33254,9 @@ tANI_U32 dot11fPackIefils_indication(tpAniSirGlobal pCtx, tmp142__ |= ( pSrc->is_fils_sk_auth_pfs_supported << 10 ); tmp142__ |= ( pSrc->is_pk_auth_supported << 11 ); tmp142__ |= ( pSrc->reserved << 12 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp142__, 0); *pnConsumed += 2; pBuf += 2; @@ -31326,6 +33505,9 @@ tANI_U32 dot11fPackIehs20vendor_ie(tpAniSirGlobal pCtx, tmp143__ |= ( pSrc->hs_id_present << 1 ); tmp143__ |= ( pSrc->reserved << 3 ); tmp143__ |= ( pSrc->release_num << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp143__; *pnConsumed += 1; pBuf += 1; |