diff options
| author | Jingxiang Ge <jge@codeaurora.org> | 2018-12-11 15:03:39 +0800 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-12-13 17:20:11 -0800 |
| commit | a3d6923ee9f0cd5146ac5e8e19d4752bab655497 (patch) | |
| tree | 5cc1f76052ccd00c4c386c8317de4ba2a39ee189 | |
| parent | 0973bb5f4e1c74d8b4ce0a2373174de536569f62 (diff) | |
qcacld-3.0: Skip IE which has length less than the minimum valid IE length
QBSS IE uses min length of 4 bytes for version 1 and
min length of 5 bytes for version 2. Min length used
for IE is 5 bytes in driver which can cause WPA IE
parse failure if QBSS IE is 4 bytes resulting in failure
in fetching scan results due to security mismatch and
subsequently connection failure.
Fix is to skip the IE which has length less than the
minimum valid length.
Change-Id: I00fbffad221e2d9ecedcb87c9607ac8abd7c55b1
CRs-Fixed: 2364663
| -rw-r--r-- | core/mac/src/include/dot11f.h | 2 | ||||
| -rw-r--r-- | core/mac/src/sys/legacy/src/utils/src/dot11f.c | 25 |
2 files changed, 16 insertions, 11 deletions
diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h index 2be3a3883eee..cc69a0ed216d 100644 --- a/core/mac/src/include/dot11f.h +++ b/core/mac/src/include/dot11f.h @@ -26,7 +26,7 @@ * * * This file was automatically generated by 'framesc' - * Tue Sep 18 11:47:29 2018 from the following file(s): + * Tue Dec 11 14:40:59 2018 from the following file(s): * * dot11f.frms * diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c index 65d29ae9a82d..fa57865abc1e 100644 --- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c +++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c @@ -24,7 +24,7 @@ * * * This file was automatically generated by 'framesc' - * Tue Sep 18 11:47:29 2018 from the following file(s): + * Tue Dec 11 14:40:59 2018 from the following file(s): * * dot11f.frms * @@ -12083,20 +12083,25 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx, } if (pIe) { - if ((nBufRemaining < pIe->minSize - pIe->noui - 2U) || - (len < pIe->minSize - pIe->noui - 2U)) { - FRAMES_LOG4(pCtx, FRLOGW, FRFL("The IE %s must " + if ((nBufRemaining < pIe->minSize - pIe->noui - 2U)) { + FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must " "be at least %d bytes in size, but " "there are only %d bytes remaining in " - "this frame or the IE reports a size " - "of %d bytes.\n"), - pIe->name, pIe->minSize, nBufRemaining, - (len + pIe->noui + 2U)); + "this frame\n"), + pIe->name, pIe->minSize, nBufRemaining); FRAMES_DUMP(pCtx, FRLOG1, pBuf, nBuf); status |= DOT11F_INCOMPLETE_IE; FRAMES_DBG_BREAK(); goto MandatoryCheck; } else { + if (len < pIe->minSize - pIe->noui - 2U) { + FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must " + "be at least %d bytes in size, but " + "there are only %d bytes in the IE\n"), + pIe->name, pIe->minSize, (len + pIe->noui + 2U)); + goto skip_ie; + } + if (len > pIe->maxSize - pIe->noui - 2U) { FRAMES_LOG1(pCtx, FRLOGW, FRFL("The IE %s reports " "an unexpectedly large size; it is presumably " @@ -12110,7 +12115,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx, (*(uint16_t *)(pFrm + pIe->countOffset))); if (0 != pIe->arraybound && countOffset >= pIe->arraybound) { status |= DOT11F_DUPLICATE_IE; - goto skip_dup_ie; + goto skip_ie; } switch (pIe->sig) { case SigIeGTK: @@ -13572,7 +13577,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx, status |= DOT11F_UNKNOWN_IES; } -skip_dup_ie: +skip_ie: pBufRemaining += len; if (len > nBufRemaining) { |