diff options
| author | Naveen Rawat <naveenrawat@codeaurora.org> | 2018-04-27 10:44:36 -0700 |
|---|---|---|
| committer | nshrivas <nshrivas@codeaurora.org> | 2018-04-30 13:56:16 -0700 |
| commit | b1feaefd8bdbefd6f6b4767d32c72e292ebaf334 (patch) | |
| tree | f3a35887b555e527f1e300951e2f5d5b65f5ef9c | |
| parent | d1cae2ee31d4bc9e1636bf20dee5f7744794fc57 (diff) | |
qcacld-3.0: Avoid integer underflow in dot11f_unpack functions
In function dot11f_unpack functions length of buffer passed is
decremented as pointer advances in the buffer. Add a check for
integer underflow before decrementing the length.
Change-Id: I4ed39d326855c2027ff0bc3cbe5c8981a2ae2aa1
CRs-Fixed: 2231755
| -rw-r--r-- | core/mac/src/include/dot11f.h | 6 | ||||
| -rw-r--r-- | core/mac/src/sys/legacy/src/utils/src/dot11f.c | 1440 |
2 files changed, 1444 insertions, 2 deletions
diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h index 84604837f5bc..a59f9ef4dc9d 100644 --- a/core/mac/src/include/dot11f.h +++ b/core/mac/src/include/dot11f.h @@ -35,7 +35,7 @@ * * * This file was automatically generated by 'framesc' - * Fri Feb 16 10:33:08 2018 from the following file(s): + * Fri Apr 27 15:42:09 2018 from the following file(s): * * dot11f.frms * @@ -57,6 +57,10 @@ typedef uint32_t tDOT11F_U64[2]; #define __must_check #endif +#if !defined unlikely +#define unlikely(x) (x) +#endif + /* * Frames Return Codes: * diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c index 5ca8a5607572..bbdfa929405d 100644 --- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c +++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c @@ -33,7 +33,7 @@ * * * This file was automatically generated by 'framesc' - * Fri Feb 16 10:33:08 2018 from the following file(s): + * Fri Apr 27 15:42:09 2018 from the following file(s): * * dot11f.frms * @@ -823,6 +823,9 @@ uint32_t dot11f_unpack_tlv_authorized_ma_cs(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->mac, pBuf, 6); pBuf += 6; tlvlen -= (uint8_t)6; @@ -844,6 +847,9 @@ uint32_t dot11f_unpack_tlv_version2(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; uint8_t tmp5__; pDst->present = 1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp5__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -901,9 +907,15 @@ uint32_t dot11f_unpack_tlv_extended_listen_timing(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->availibilityPeriod, pBuf, 0); pBuf += 2; tlvlen -= (uint8_t)2; + if (unlikely(tlvlen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->availibilityInterval, pBuf, 0); pBuf += 2; tlvlen -= (uint8_t)2; @@ -921,12 +933,21 @@ uint32_t dot11f_unpack_tlv_listen_channel(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->countryString, pBuf, 3); pBuf += 3; tlvlen -= (uint8_t)3; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->regulatoryClass = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->channel = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1016,9 +1037,15 @@ uint32_t dot11f_unpack_tlv_notice_of_absence(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->index = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->CTSWindowOppPS = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1045,12 +1072,21 @@ uint32_t dot11f_unpack_tlv_operating_channel(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->countryString, pBuf, 3); pBuf += 3; tlvlen -= (uint8_t)3; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->regulatoryClass = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->channel = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1068,9 +1104,15 @@ uint32_t dot11f_unpack_tlv_p2_p_capability(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->deviceCapability = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->groupCapability = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1088,6 +1130,9 @@ uint32_t dot11f_unpack_tlv_p2_p_device_id(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (uint8_t)6; @@ -1112,12 +1157,21 @@ uint32_t dot11f_unpack_tlv_p2_p_device_info(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (uint8_t)6; + if (unlikely(tlvlen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->configMethod, pBuf, 0); pBuf += 2; tlvlen -= (uint8_t)2; + if (unlikely(tlvlen < 8)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->primaryDeviceType, pBuf, 8); pBuf += 8; tlvlen -= (uint8_t)8; @@ -1163,12 +1217,21 @@ uint32_t dot11f_unpack_tlv_primary_device_type(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; (void)pBuf; (void)tlvlen; /* Shutup the compiler */ pDst->present = 1; + if (unlikely(tlvlen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->primary_category, pBuf, 1); pBuf += 2; tlvlen -= (uint8_t)2; + if (unlikely(tlvlen < 4)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->oui, pBuf, 4); pBuf += 4; tlvlen -= (uint8_t)4; + if (unlikely(tlvlen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->sub_category, pBuf, 1); pBuf += 2; tlvlen -= (uint8_t)2; @@ -1189,12 +1252,21 @@ uint32_t dot11f_unpack_tlv_request_device_type(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->primary_category, pBuf, 1); pBuf += 2; tlvlen -= (uint8_t)2; + if (unlikely(tlvlen < 4)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->oui, pBuf, 4); pBuf += 4; tlvlen -= (uint8_t)4; + if (unlikely(tlvlen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->sub_category, pBuf, 1); pBuf += 2; tlvlen -= (uint8_t)2; @@ -1247,6 +1319,9 @@ uint32_t dot11f_unpack_tlv_uuid_e(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 16)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->uuid, pBuf, 16); pBuf += 16; tlvlen -= (uint8_t)16; @@ -1264,6 +1339,9 @@ uint32_t dot11f_unpack_tlv_uuid_r(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 16)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->uuid, pBuf, 16); pBuf += 16; tlvlen -= (uint8_t)16; @@ -1295,6 +1373,9 @@ uint32_t dot11f_unpack_tlv_vendor_extension(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->vendorId, pBuf, 3); pBuf += 3; tlvlen -= (uint8_t)3; @@ -1319,6 +1400,9 @@ uint32_t dot11f_unpack_tlv_version(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; uint8_t tmp6__; pDst->present = 1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp6__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -1356,6 +1440,9 @@ uint32_t dot11f_unpack_tlv_non_prefferd_chan_rep(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->oper_class = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1383,6 +1470,9 @@ uint32_t dot11f_unpack_tlv_oce_cap(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; uint8_t tmp7__; pDst->present = 1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp7__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -1405,6 +1495,9 @@ uint32_t dot11f_unpack_tlv_reduced_wan_metrics(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; uint8_t tmp8__; pDst->present = 1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp8__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -1424,9 +1517,15 @@ uint32_t dot11f_unpack_tlv_rssi_assoc_rej(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->delta_rssi = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; + if (unlikely(tlvlen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->retry_delay = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1450,6 +1549,9 @@ uint32_t dot11f_unpack_tlv_p2_p_interface(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (uint8_t)6; @@ -1475,14 +1577,23 @@ uint32_t dot11f_unpack_ie_gtk(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp9__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->keyId = tmp9__ >> 0 & 0x3; pDst->reserved = tmp9__ >> 2 & 0x3feb; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->keyLength = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->RSC, pBuf, 8); pBuf += 8; ielen -= (uint8_t)8; @@ -1511,15 +1622,27 @@ uint32_t dot11f_unpack_ie_igtk(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->keyID, pBuf, 2); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->IPN, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->keyLength = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 24)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->key, pBuf, 24); (void)pCtx; return status; @@ -1564,6 +1687,9 @@ uint32_t dot11f_unpack_ie_r1_kh_id(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->PMK_R1_ID, pBuf, 6); (void)pCtx; return status; @@ -1583,6 +1709,9 @@ uint32_t dot11f_unpack_ie_ap_channel_report(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->regulatoryClass = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -1611,6 +1740,9 @@ uint32_t dot11f_unpack_ie_bcn_reporting_detail(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->reportingDetail = *pBuf; (void)pCtx; return status; @@ -1655,9 +1787,15 @@ uint32_t dot11f_unpack_ie_beacon_reporting(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->reportingCondition = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->threshold = *pBuf; (void)pCtx; return status; @@ -1677,6 +1815,9 @@ uint32_t dot11f_unpack_ie_condensed_country_str(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->countryStr, pBuf, 2); (void)pCtx; return status; @@ -1696,6 +1837,9 @@ uint32_t dot11f_unpack_ie_measurement_pilot(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurementPilot = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -1719,6 +1863,9 @@ uint32_t dot11f_unpack_ie_multi_bssid(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->maxBSSIDIndicator = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -1742,12 +1889,21 @@ uint32_t dot11f_unpack_ie_ric_data(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->Identifier = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->resourceDescCount = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->statusCode, pBuf, 0); (void)pCtx; return status; @@ -1767,6 +1923,9 @@ uint32_t dot11f_unpack_ie_ric_descriptor(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->resourceType = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -1795,6 +1954,9 @@ uint32_t dot11f_unpack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp10__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1806,6 +1968,9 @@ uint32_t dot11f_unpack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, pDst->BeaconActive = tmp10__ >> 5 & 0x1; pDst->BeaconTable = tmp10__ >> 6 & 0x1; pDst->BeaconRepCond = tmp10__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp11__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1817,6 +1982,9 @@ uint32_t dot11f_unpack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, pDst->LCIAzimuth = tmp11__ >> 5 & 0x1; pDst->TCMCapability = tmp11__ >> 6 & 0x1; pDst->triggeredTCM = tmp11__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp12__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1824,6 +1992,9 @@ uint32_t dot11f_unpack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, pDst->RRMMIBEnabled = tmp12__ >> 1 & 0x1; pDst->operatingChanMax = tmp12__ >> 2 & 0x7; pDst->nonOperatinChanMax = tmp12__ >> 5 & 0x7; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp13__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1833,6 +2004,9 @@ uint32_t dot11f_unpack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, pDst->RCPIMeasurement = tmp13__ >> 5 & 0x1; pDst->RSNIMeasurement = tmp13__ >> 6 & 0x1; pDst->BssAvgAccessDelay = tmp13__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp14__ = *pBuf; pDst->BSSAvailAdmission = tmp14__ >> 0 & 0x1; pDst->AntennaInformation = tmp14__ >> 1 & 0x1; @@ -1905,6 +2079,9 @@ uint32_t dot11f_unpack_ie_schedule(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp15__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -1912,15 +2089,27 @@ uint32_t dot11f_unpack_ie_schedule(tpAniSirGlobal pCtx, pDst->tsid = tmp15__ >> 1 & 0xf; pDst->direction = tmp15__ >> 5 & 0x3; pDst->reserved = tmp15__ >> 7 & 0x1ff; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->service_interval, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->max_service_dur, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->spec_interval, pBuf, 0); (void)pCtx; return status; @@ -1940,68 +2129,125 @@ uint32_t dot11f_unpack_ie_tclas(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->user_priority = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->classifier_type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->classifier_mask = *pBuf; pBuf += 1; ielen -= (uint8_t)1; switch (pDst->classifier_type) { case 0: + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.source, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.dest, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.EthParams.type, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 1: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->info.IpParams.version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; switch (pDst->info.IpParams.version) { case 4: + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.source, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.dest, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.src_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->info.IpParams.params.IpV4Params.DSCP = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->info.IpParams.params.IpV4Params.proto = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->info.IpParams.params.IpV4Params.reserved = *pBuf; pBuf += 1; ielen -= (uint8_t)1; break; case 6: + if (unlikely(ielen < 16)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.source, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 16)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.dest, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.src_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 3)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.flow_label, pBuf, 3); pBuf += 3; ielen -= (uint8_t)3; @@ -2009,6 +2255,9 @@ uint32_t dot11f_unpack_ie_tclas(tpAniSirGlobal pCtx, } break; case 2: + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.Params8021dq.tag_type, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -2035,6 +2284,9 @@ uint32_t dot11f_unpack_ie_ts_delay(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->delay, pBuf, 0); (void)pCtx; return status; @@ -2054,9 +2306,15 @@ uint32_t dot11f_unpack_ie_tsf_info(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->TsfOffset, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->BeaconIntvl, pBuf, 0); (void)pCtx; return status; @@ -2079,6 +2337,9 @@ uint32_t dot11f_unpack_ie_tspec(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp16__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2090,55 +2351,103 @@ uint32_t dot11f_unpack_ie_tspec(tpAniSirGlobal pCtx, pDst->psb = tmp16__ >> 10 & 0x1; pDst->user_priority = tmp16__ >> 11 & 0x7; pDst->tsinfo_ack_pol = tmp16__ >> 14 & 0x3; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp17__ = *pBuf; pBuf += 1; ielen -= 1; pDst->schedule = tmp17__ >> 0 & 0x1; pDst->unused = tmp17__ >> 1 & 0x7f; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp18__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->size = tmp18__ >> 0 & 0x7fff; pDst->fixed = tmp18__ >> 15 & 0x1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->max_msdu_size, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->min_service_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->max_service_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->inactivity_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->suspension_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->min_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->mean_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->peak_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->burst_size, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->delay_bound, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->min_phy_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->surplus_bw_allowance, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->medium_time, pBuf, 0); (void)pCtx; return status; @@ -2161,6 +2470,9 @@ uint32_t dot11f_unpack_ie_vht_caps(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &tmp19__, pBuf, 0); pBuf += 4; ielen -= 4; @@ -2184,17 +2496,29 @@ uint32_t dot11f_unpack_ie_vht_caps(tpAniSirGlobal pCtx, pDst->rxAntPattern = tmp19__ >> 28 & 0x1; pDst->txAntPattern = tmp19__ >> 29 & 0x1; pDst->reserved1 = tmp19__ >> 30 & 0x3; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->rxMCSMap, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp20__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->rxHighSupDataRate = tmp20__ >> 0 & 0x1fff; pDst->reserved2 = tmp20__ >> 13 & 0x7; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->txMCSMap, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp21__, pBuf, 0); pDst->txSupDataRate = tmp21__ >> 0 & 0x1fff; pDst->reserved3 = tmp21__ >> 13 & 0x7; @@ -2216,15 +2540,27 @@ uint32_t dot11f_unpack_ie_vht_operation(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->chanWidth = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->chanCenterFreqSeg1 = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->chanCenterFreqSeg2 = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->basicMCSSet, pBuf, 0); (void)pCtx; return status; @@ -2245,6 +2581,9 @@ uint32_t dot11f_unpack_ie_wmm_schedule(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2252,6 +2591,9 @@ uint32_t dot11f_unpack_ie_wmm_schedule(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp22__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2259,15 +2601,27 @@ uint32_t dot11f_unpack_ie_wmm_schedule(tpAniSirGlobal pCtx, pDst->tsid = tmp22__ >> 1 & 0xf; pDst->direction = tmp22__ >> 5 & 0x3; pDst->reserved = tmp22__ >> 7 & 0x1ff; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->service_interval, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->max_service_dur, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->spec_interval, pBuf, 0); (void)pCtx; return status; @@ -2287,6 +2641,9 @@ uint32_t dot11f_unpack_ie_wmmtclas(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2294,68 +2651,125 @@ uint32_t dot11f_unpack_ie_wmmtclas(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->user_priority = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->classifier_type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->classifier_mask = *pBuf; pBuf += 1; ielen -= (uint8_t)1; switch (pDst->classifier_type) { case 0: + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.source, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.dest, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.EthParams.type, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 1: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->info.IpParams.version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; switch (pDst->info.IpParams.version) { case 4: + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.source, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.dest, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.src_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->info.IpParams.params.IpV4Params.DSCP = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->info.IpParams.params.IpV4Params.proto = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->info.IpParams.params.IpV4Params.reserved = *pBuf; pBuf += 1; ielen -= (uint8_t)1; break; case 6: + if (unlikely(ielen < 16)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.source, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 16)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.dest, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.src_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 3)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.flow_label, pBuf, 3); pBuf += 3; ielen -= (uint8_t)3; @@ -2363,6 +2777,9 @@ uint32_t dot11f_unpack_ie_wmmtclas(tpAniSirGlobal pCtx, } break; case 2: + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->info.Params8021dq.tag_type, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -2386,6 +2803,9 @@ uint32_t dot11f_unpack_ie_wmmtclasproc(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2393,6 +2813,9 @@ uint32_t dot11f_unpack_ie_wmmtclasproc(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->processing = *pBuf; (void)pCtx; return status; @@ -2412,6 +2835,9 @@ uint32_t dot11f_unpack_ie_wmmts_delay(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2419,6 +2845,9 @@ uint32_t dot11f_unpack_ie_wmmts_delay(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->delay, pBuf, 0); (void)pCtx; return status; @@ -2441,6 +2870,9 @@ uint32_t dot11f_unpack_ie_wmmtspec(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2448,6 +2880,9 @@ uint32_t dot11f_unpack_ie_wmmtspec(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp23__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2459,55 +2894,103 @@ uint32_t dot11f_unpack_ie_wmmtspec(tpAniSirGlobal pCtx, pDst->psb = tmp23__ >> 10 & 0x1; pDst->user_priority = tmp23__ >> 11 & 0x7; pDst->tsinfo_ack_pol = tmp23__ >> 14 & 0x3; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp24__ = *pBuf; pBuf += 1; ielen -= 1; pDst->tsinfo_rsvd = tmp24__ >> 0 & 0x7f; pDst->burst_size_defn = tmp24__ >> 7 & 0x1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp25__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->size = tmp25__ >> 0 & 0x7fff; pDst->fixed = tmp25__ >> 15 & 0x1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->max_msdu_size, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->min_service_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->max_service_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->inactivity_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->suspension_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->min_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->mean_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->peak_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->burst_size, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->delay_bound, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->min_phy_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->surplus_bw_allowance, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->medium_time, pBuf, 0); (void)pCtx; return status; @@ -2527,12 +3010,21 @@ uint32_t dot11f_unpack_ie_wider_bw_chan_switch_ann(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->newChanWidth = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->newCenterChanFreq0 = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->newCenterChanFreq1 = *pBuf; (void)pCtx; return status; @@ -2552,6 +3044,9 @@ uint32_t dot11f_unpack_ie_azimuth_req(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->request = *pBuf; (void)pCtx; return status; @@ -2571,6 +3066,9 @@ uint32_t dot11f_unpack_ie_max_age(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->max_age, pBuf, 0); (void)pCtx; return status; @@ -2619,9 +3117,15 @@ uint32_t dot11f_unpack_ie_neighbor_rpt(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->bssid, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp26__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2632,6 +3136,9 @@ uint32_t dot11f_unpack_ie_neighbor_rpt(tpAniSirGlobal pCtx, pDst->QosCap = tmp26__ >> 5 & 0x1; pDst->apsd = tmp26__ >> 6 & 0x1; pDst->rrm = tmp26__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp27__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2639,15 +3146,27 @@ uint32_t dot11f_unpack_ie_neighbor_rpt(tpAniSirGlobal pCtx, pDst->ImmBA = tmp27__ >> 1 & 0x1; pDst->MobilityDomain = tmp27__ >> 2 & 0x1; pDst->reserved = tmp27__ >> 3 & 0x1f; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->reserved1, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->regulatoryClass = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->PhyType = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2677,6 +3196,9 @@ uint32_t dot11f_unpack_ie_req_mac_addr(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->addr, pBuf, 6); (void)pCtx; return status; @@ -2696,6 +3218,9 @@ uint32_t dot11f_unpack_ie_tgt_mac_addr(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->addr, pBuf, 6); (void)pCtx; return status; @@ -2740,6 +3265,9 @@ uint32_t dot11f_unpack_ie_aid(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->assocId, pBuf, 0); (void)pCtx; return status; @@ -2759,15 +3287,27 @@ uint32_t dot11f_unpack_ie_cf_params(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->cfp_count = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->cfp_period = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->cfp_maxduration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->cfp_durremaining, pBuf, 0); (void)pCtx; return status; @@ -2812,12 +3352,21 @@ uint32_t dot11f_unpack_ie_chan_switch_ann(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->switchMode = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->newChannel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->switchCount = *pBuf; (void)pCtx; return status; @@ -2879,6 +3428,9 @@ uint32_t dot11f_unpack_ie_country(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 3)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->country, pBuf, 3); pBuf += 3; ielen -= (uint8_t)3; @@ -2923,12 +3475,21 @@ uint32_t dot11f_unpack_ie_edca_param_set(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->qos = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->reserved = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp28__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2936,14 +3497,23 @@ uint32_t dot11f_unpack_ie_edca_param_set(tpAniSirGlobal pCtx, pDst->acbe_acm = tmp28__ >> 4 & 0x1; pDst->acbe_aci = tmp28__ >> 5 & 0x3; pDst->unused1 = tmp28__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp29__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbe_acwmin = tmp29__ >> 0 & 0xf; pDst->acbe_acwmax = tmp29__ >> 4 & 0xf; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->acbe_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp30__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2951,14 +3521,23 @@ uint32_t dot11f_unpack_ie_edca_param_set(tpAniSirGlobal pCtx, pDst->acbk_acm = tmp30__ >> 4 & 0x1; pDst->acbk_aci = tmp30__ >> 5 & 0x3; pDst->unused2 = tmp30__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp31__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbk_acwmin = tmp31__ >> 0 & 0xf; pDst->acbk_acwmax = tmp31__ >> 4 & 0xf; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->acbk_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp32__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2966,14 +3545,23 @@ uint32_t dot11f_unpack_ie_edca_param_set(tpAniSirGlobal pCtx, pDst->acvi_acm = tmp32__ >> 4 & 0x1; pDst->acvi_aci = tmp32__ >> 5 & 0x3; pDst->unused3 = tmp32__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp33__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvi_acwmin = tmp33__ >> 0 & 0xf; pDst->acvi_acwmax = tmp33__ >> 4 & 0xf; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->acvi_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp34__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2981,11 +3569,17 @@ uint32_t dot11f_unpack_ie_edca_param_set(tpAniSirGlobal pCtx, pDst->acvo_acm = tmp34__ >> 4 & 0x1; pDst->acvo_aci = tmp34__ >> 5 & 0x3; pDst->unused4 = tmp34__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp35__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvo_acwmin = tmp35__ >> 0 & 0xf; pDst->acvo_acwmax = tmp35__ >> 4 & 0xf; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->acvo_txoplimit, pBuf, 0); (void)pCtx; return status; @@ -3006,6 +3600,9 @@ uint32_t dot11f_unpack_ie_erp_info(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp36__ = *pBuf; pDst->non_erp_present = tmp36__ >> 0 & 0x1; pDst->use_prot = tmp36__ >> 1 & 0x1; @@ -3055,9 +3652,15 @@ uint32_t dot11f_unpack_ie_ese_rad_mgmt_cap(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->mgmt_state = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp37__ = *pBuf; pDst->mbssid_mask = tmp37__ >> 0 & 0x7; pDst->reserved = tmp37__ >> 3 & 0x1f; @@ -3079,12 +3682,21 @@ uint32_t dot11f_unpack_ie_ese_traf_strm_met(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->tsid = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->state = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->msmt_interval, pBuf, 0); (void)pCtx; return status; @@ -3104,6 +3716,9 @@ uint32_t dot11f_unpack_ie_ese_traf_strm_rate_set(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->tsid = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -3132,9 +3747,15 @@ uint32_t dot11f_unpack_ie_ese_txmit_power(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->power_limit = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->reserved = *pBuf; (void)pCtx; return status; @@ -3154,6 +3775,9 @@ uint32_t dot11f_unpack_ie_ese_version(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->version = *pBuf; (void)pCtx; return status; @@ -3261,15 +3885,27 @@ uint32_t dot11f_unpack_ie_fh_param_set(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->dwell_time, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->hop_set = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->hop_pattern = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->hop_index = *pBuf; (void)pCtx; return status; @@ -3289,9 +3925,15 @@ uint32_t dot11f_unpack_ie_fh_params(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->radix = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->nchannels = *pBuf; (void)pCtx; return status; @@ -3311,15 +3953,27 @@ uint32_t dot11f_unpack_ie_fh_patt_table(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->flag = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->nsets = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->modulus = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->offset = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -3368,17 +4022,29 @@ uint32_t dot11f_unpack_ie_ft_info(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp38__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->reserved = tmp38__ >> 0 & 0xff; pDst->IECount = tmp38__ >> 8 & 0xff; + if (unlikely(ielen < 16)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->MIC, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 32)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->Anonce, pBuf, 32); pBuf += 32; ielen -= (uint8_t)32; + if (unlikely(ielen < 32)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->Snonce, pBuf, 32); pBuf += 32; ielen -= (uint8_t)32; @@ -3413,6 +4079,9 @@ uint32_t dot11f_unpack_ie_ht_caps(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp39__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3430,15 +4099,24 @@ uint32_t dot11f_unpack_ie_ht_caps(tpAniSirGlobal pCtx, pDst->psmp = tmp39__ >> 13 & 0x1; pDst->stbcControlFrame = tmp39__ >> 14 & 0x1; pDst->lsigTXOPProtection = tmp39__ >> 15 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp40__ = *pBuf; pBuf += 1; ielen -= 1; pDst->maxRxAMPDUFactor = tmp40__ >> 0 & 0x3; pDst->mpduDensity = tmp40__ >> 2 & 0x7; pDst->reserved1 = tmp40__ >> 5 & 0x7; + if (unlikely(ielen < 16)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->supportedMCSSet, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp41__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3447,6 +4125,9 @@ uint32_t dot11f_unpack_ie_ht_caps(tpAniSirGlobal pCtx, pDst->reserved2 = tmp41__ >> 3 & 0x1f; pDst->mcsFeedback = tmp41__ >> 8 & 0x3; pDst->reserved3 = tmp41__ >> 10 & 0x3f; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &tmp42__, pBuf, 0); pBuf += 4; ielen -= 4; @@ -3466,6 +4147,9 @@ uint32_t dot11f_unpack_ie_ht_caps(tpAniSirGlobal pCtx, pDst->uncompressedSteeringMatrixBFAntennae = tmp42__ >> 21 & 0x3; pDst->compressedSteeringMatrixBFAntennae = tmp42__ >> 23 & 0x3; pDst->reserved4 = tmp42__ >> 25 & 0x7f; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp43__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3505,9 +4189,15 @@ uint32_t dot11f_unpack_ie_ht_info(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->primaryChannel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp44__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3516,6 +4206,9 @@ uint32_t dot11f_unpack_ie_ht_info(tpAniSirGlobal pCtx, pDst->rifsMode = tmp44__ >> 3 & 0x1; pDst->controlledAccessOnly = tmp44__ >> 4 & 0x1; pDst->serviceIntervalGranularity = tmp44__ >> 5 & 0x7; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp45__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3524,6 +4217,9 @@ uint32_t dot11f_unpack_ie_ht_info(tpAniSirGlobal pCtx, pDst->transmitBurstLimit = tmp45__ >> 3 & 0x1; pDst->obssNonHTStaPresent = tmp45__ >> 4 & 0x1; pDst->reserved = tmp45__ >> 5 & 0x7ff; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp46__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3534,6 +4230,9 @@ uint32_t dot11f_unpack_ie_ht_info(tpAniSirGlobal pCtx, pDst->pcoActive = tmp46__ >> 10 & 0x1; pDst->pcoPhase = tmp46__ >> 11 & 0x1; pDst->reserved2 = tmp46__ >> 12 & 0xf; + if (unlikely(ielen < 16)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->basicMCSSet, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; @@ -3562,6 +4261,9 @@ uint32_t dot11f_unpack_ie_ibss_params(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->atim, pBuf, 0); (void)pCtx; return status; @@ -3581,12 +4283,21 @@ uint32_t dot11f_unpack_ie_link_identifier(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->bssid, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->InitStaAddr, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->RespStaAddr, pBuf, 6); (void)pCtx; return status; @@ -3685,9 +4396,15 @@ uint32_t dot11f_unpack_ie_measurement_report(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->token = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp47__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3695,6 +4412,9 @@ uint32_t dot11f_unpack_ie_measurement_report(tpAniSirGlobal pCtx, pDst->incapable = tmp47__ >> 1 & 0x1; pDst->refused = tmp47__ >> 2 & 0x1; pDst->unused = tmp47__ >> 3 & 0x1f; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -3703,15 +4423,27 @@ uint32_t dot11f_unpack_ie_measurement_report(tpAniSirGlobal pCtx, } else { switch (pDst->type) { case 0: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.Basic.channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) + return DOT11F_INCOMPLETE_IE; + framesntohq(pCtx, &pDst->report.Basic.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->report.Basic.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp48__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3723,84 +4455,159 @@ uint32_t dot11f_unpack_ie_measurement_report(tpAniSirGlobal pCtx, pDst->report.Basic.unused = tmp48__ >> 5 & 0x7; break; case 1: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.CCA.channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) + return DOT11F_INCOMPLETE_IE; + framesntohq(pCtx, &pDst->report.CCA.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->report.CCA.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.CCA.cca_busy_fraction = *pBuf; pBuf += 1; ielen -= (uint8_t)1; break; case 2: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.RPIHistogram.channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) + return DOT11F_INCOMPLETE_IE; + framesntohq(pCtx, &pDst->report.RPIHistogram.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->report.RPIHistogram.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.RPIHistogram.rpi0_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.RPIHistogram.rpi1_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.RPIHistogram.rpi2_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.RPIHistogram.rpi3_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.RPIHistogram.rpi4_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.RPIHistogram.rpi5_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.RPIHistogram.rpi6_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.RPIHistogram.rpi7_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; break; case 5: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.Beacon.regClass = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.Beacon.channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) + return DOT11F_INCOMPLETE_IE; + framesntohq(pCtx, &pDst->report.Beacon.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->report.Beacon.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp49__ = *pBuf; pBuf += 1; ielen -= 1; pDst->report.Beacon.condensed_PHY = tmp49__ >> 0 & 0x7f; pDst->report.Beacon.reported_frame_type = tmp49__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.Beacon.RCPI = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.Beacon.RSNI = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->report.Beacon.BSSID, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->report.Beacon.antenna_id = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->report.Beacon.parent_TSF, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; @@ -3903,9 +4710,15 @@ uint32_t dot11f_unpack_ie_measurement_request(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurement_token = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp50__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3915,59 +4728,107 @@ uint32_t dot11f_unpack_ie_measurement_request(tpAniSirGlobal pCtx, pDst->report = tmp50__ >> 3 & 0x1; pDst->durationMandatory = tmp50__ >> 4 & 0x1; pDst->unused = tmp50__ >> 5 & 0x7; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurement_type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; switch (pDst->measurement_type) { case 0: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurement_request.Basic.channel_no = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->measurement_request.Basic.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->measurement_request.Basic.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 1: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurement_request.CCA.channel_no = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->measurement_request.CCA.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->measurement_request.CCA.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 2: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurement_request.RPIHistogram.channel_no = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->measurement_request.RPIHistogram.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->measurement_request.RPIHistogram.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 5: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurement_request.Beacon.regClass = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurement_request.Beacon.channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->measurement_request.Beacon.randomization, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->measurement_request.Beacon.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurement_request.Beacon.meas_mode = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->measurement_request.Beacon.BSSID, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; @@ -3980,6 +4841,9 @@ uint32_t dot11f_unpack_ie_measurement_request(tpAniSirGlobal pCtx, sizeof(*pDst), append_ie); break; case 8: + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurement_request.lci.loc_subject = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -3992,9 +4856,15 @@ uint32_t dot11f_unpack_ie_measurement_request(tpAniSirGlobal pCtx, sizeof(*pDst), append_ie); break; case 16: + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->measurement_request.ftmrr.random_interval, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->measurement_request.ftmrr.min_ap_count = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -4026,9 +4896,15 @@ uint32_t dot11f_unpack_ie_mobility_domain(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->MDID, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp51__ = *pBuf; pDst->overDSCap = tmp51__ >> 0 & 0x1; pDst->resourceReqCap = tmp51__ >> 1 & 0x1; @@ -4080,9 +4956,15 @@ uint32_t dot11f_unpack_ie_neighbor_report(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->bssid, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp52__ = *pBuf; pBuf += 1; ielen -= 1; @@ -4093,6 +4975,9 @@ uint32_t dot11f_unpack_ie_neighbor_report(tpAniSirGlobal pCtx, pDst->QosCap = tmp52__ >> 5 & 0x1; pDst->apsd = tmp52__ >> 6 & 0x1; pDst->rrm = tmp52__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp53__ = *pBuf; pBuf += 1; ielen -= 1; @@ -4100,15 +4985,27 @@ uint32_t dot11f_unpack_ie_neighbor_report(tpAniSirGlobal pCtx, pDst->ImmBA = tmp53__ >> 1 & 0x1; pDst->MobilityDomain = tmp53__ >> 2 & 0x1; pDst->reserved = tmp53__ >> 3 & 0x1f; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->reserved1, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->regulatoryClass = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->PhyType = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -4138,24 +5035,45 @@ uint32_t dot11f_unpack_ie_obss_scan_parameters(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->obssScanPassiveDwell, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->obssScanActiveDwell, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->bssChannelWidthTriggerScanInterval, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->obssScanPassiveTotalPerChannel, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->obssScanActiveTotalPerChannel, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->bssWidthChannelTransitionDelayFactor, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->obssScanActivityThreshold, pBuf, 0); (void)pCtx; return status; @@ -4176,6 +5094,9 @@ uint32_t dot11f_unpack_ie_operating_mode(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp54__ = *pBuf; pDst->chanWidth = tmp54__ >> 0 & 0x3; pDst->reserved = tmp54__ >> 2 & 0x3; @@ -4489,9 +5410,15 @@ uint32_t dot11f_unpack_ie_pti_control(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->tid = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->sequence_control, pBuf, 0); (void)pCtx; return status; @@ -4512,6 +5439,9 @@ uint32_t dot11f_unpack_ie_pu_buffer_status(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp55__ = *pBuf; pDst->ac_bk_traffic_aval = tmp55__ >> 0 & 0x1; pDst->ac_be_traffic_aval = tmp55__ >> 1 & 0x1; @@ -4536,9 +5466,15 @@ uint32_t dot11f_unpack_ie_power_caps(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->minTxPower = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->maxTxPower = *pBuf; (void)pCtx; return status; @@ -4558,6 +5494,9 @@ uint32_t dot11f_unpack_ie_power_constraints(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->localPowerConstraints = *pBuf; (void)pCtx; return status; @@ -4577,12 +5516,21 @@ uint32_t dot11f_unpack_ie_qbss_load(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->stacount, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->chautil = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->avail, pBuf, 0); (void)pCtx; return status; @@ -4602,6 +5550,9 @@ uint32_t dot11f_unpack_ie_QCN_IE(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->version, pBuf, 4); (void)pCtx; return status; @@ -4621,9 +5572,15 @@ uint32_t dot11f_unpack_ie_QComVendorIE(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->channel = *pBuf; (void)pCtx; return status; @@ -4644,6 +5601,9 @@ uint32_t dot11f_unpack_ie_qos_caps_ap(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp56__ = *pBuf; pDst->count = tmp56__ >> 0 & 0xf; pDst->qack = tmp56__ >> 4 & 0x1; @@ -4669,6 +5629,9 @@ uint32_t dot11f_unpack_ie_qos_caps_station(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp57__ = *pBuf; pDst->acvo_uapsd = tmp57__ >> 0 & 0x1; pDst->acvi_uapsd = tmp57__ >> 1 & 0x1; @@ -4720,15 +5683,27 @@ uint32_t dot11f_unpack_ie_quiet(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->count = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->period = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->offset, pBuf, 0); (void)pCtx; return status; @@ -4748,6 +5723,9 @@ uint32_t dot11f_unpack_ie_rcpiie(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->rcpi = *pBuf; (void)pCtx; return status; @@ -4841,10 +5819,14 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; uint8_t def_cipher_suite[4] = {0x00, 0x0f, 0xac, 0x04}; uint8_t def_akm_suite[4] = {0x00, 0x0f, 0xac, 0x01}; + (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -4866,6 +5848,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, return 0U; } else { pDst->gp_cipher_suite_present = 1; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + if (ielen < 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4886,6 +5871,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, pDst->pmkid_count = 0U; return 0U; } else { + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + if (ielen < 2) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4895,6 +5883,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, pBuf += 2; ielen -= (uint8_t)2; } + if (unlikely(ielen < pDst->pwise_cipher_suite_count * 4)) + return DOT11F_INCOMPLETE_IE; + if (!pDst->pwise_cipher_suite_count || pDst->pwise_cipher_suite_count > 6) { pDst->present = 0; @@ -4917,6 +5908,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, pDst->pmkid_count = 0U; return 0U; } else { + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + if (ielen < 2) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4926,6 +5920,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, pBuf += 2; ielen -= (uint8_t)2; } + if (unlikely(ielen < pDst->akm_suite_cnt * 4)) + return DOT11F_INCOMPLETE_IE; + if (!pDst->akm_suite_cnt || pDst->akm_suite_cnt > 6) { pDst->present = 0; @@ -4947,6 +5944,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, return 0U; } else { pDst->RSN_Cap_present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + if (ielen < 2) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4962,6 +5962,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, pDst->pmkid_count = 0U; return 0U; } else { + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + if (ielen < 2) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4971,6 +5974,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, pBuf += 2; ielen -= (uint8_t)2; } + if (unlikely(ielen < pDst->pmkid_count * 16)) + return DOT11F_INCOMPLETE_IE; + if (pDst->pmkid_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4988,6 +5994,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, return 0U; } else { pDst->gp_mgmt_cipher_suite_present = 1; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + if (ielen < 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5013,6 +6022,9 @@ uint32_t dot11f_unpack_ie_rsniie(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->rsni = *pBuf; (void)pCtx; return status; @@ -5140,12 +6152,21 @@ uint32_t dot11f_unpack_ie_tim(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->dtim_count = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->dtim_period = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->bmpctl = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -5174,9 +6195,15 @@ uint32_t dot11f_unpack_ie_tpc_report(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->tx_power = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->link_margin = *pBuf; (void)pCtx; return status; @@ -5214,12 +6241,21 @@ uint32_t dot11f_unpack_ie_time_advertisement(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->timing_capabilities = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 10)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->time_value, pBuf, 10); pBuf += 10; ielen -= (uint8_t)10; + if (unlikely(ielen < 5)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->time_error, pBuf, 5); (void)pCtx; return status; @@ -5239,9 +6275,15 @@ uint32_t dot11f_unpack_ie_timeout_interval(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->timeoutType = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + framesntohl(pCtx, &pDst->timeoutValue, pBuf, 0); (void)pCtx; return status; @@ -5261,18 +6303,33 @@ uint32_t dot11f_unpack_ie_vht_ext_bss_load(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->muMIMOCapStaCount = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->ssUnderUtil = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->FortyMHzUtil = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->EightyMHzUtil = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->OneSixtyMHzUtil = *pBuf; (void)pCtx; return status; @@ -5329,6 +6386,9 @@ uint32_t dot11f_unpack_ie_wapi(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -5336,9 +6396,15 @@ uint32_t dot11f_unpack_ie_wapi(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->akm_suite_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < pDst->akm_suite_count * 4)) + return DOT11F_INCOMPLETE_IE; + if (pDst->akm_suite_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5347,9 +6413,15 @@ uint32_t dot11f_unpack_ie_wapi(tpAniSirGlobal pCtx, DOT11F_MEMCPY(pCtx, pDst->akm_suites, pBuf, (pDst->akm_suite_count * 4)); pBuf += (pDst->akm_suite_count * 4); ielen -= (pDst->akm_suite_count * 4); + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->unicast_cipher_suite_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < pDst->unicast_cipher_suite_count * 4)) + return DOT11F_INCOMPLETE_IE; + if (pDst->unicast_cipher_suite_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5358,9 +6430,15 @@ uint32_t dot11f_unpack_ie_wapi(tpAniSirGlobal pCtx, DOT11F_MEMCPY(pCtx, pDst->unicast_cipher_suites, pBuf, (pDst->unicast_cipher_suite_count * 4)); pBuf += (pDst->unicast_cipher_suite_count * 4); ielen -= (pDst->unicast_cipher_suite_count * 4); + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->multicast_cipher_suite, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp58__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -5370,10 +6448,16 @@ uint32_t dot11f_unpack_ie_wapi(tpAniSirGlobal pCtx, pDst->bkid_count = 0U; return 0U; } else { + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->bkid_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; } + if (unlikely(ielen < pDst->bkid_count * 16)) + return DOT11F_INCOMPLETE_IE; + if (pDst->bkid_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5423,9 +6507,15 @@ uint32_t dot11f_unpack_ie_wfatpc(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->txPower = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->linkMargin = *pBuf; (void)pCtx; return status; @@ -5471,6 +6561,9 @@ uint32_t dot11f_unpack_ie_wmm_caps(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -5478,6 +6571,9 @@ uint32_t dot11f_unpack_ie_wmm_caps(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp59__ = *pBuf; pDst->reserved = tmp59__ >> 0 & 0xf; pDst->qack = tmp59__ >> 4 & 0x1; @@ -5503,9 +6599,15 @@ uint32_t dot11f_unpack_ie_wmm_info_ap(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp60__ = *pBuf; pDst->param_set_count = tmp60__ >> 0 & 0xf; pDst->reserved = tmp60__ >> 4 & 0x7; @@ -5529,9 +6631,15 @@ uint32_t dot11f_unpack_ie_wmm_info_station(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp61__ = *pBuf; pDst->acvo_uapsd = tmp61__ >> 0 & 0x1; pDst->acvi_uapsd = tmp61__ >> 1 & 0x1; @@ -5566,6 +6674,9 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -5573,12 +6684,21 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->qosInfo = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->reserved2 = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp62__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5586,14 +6706,23 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, pDst->acbe_acm = tmp62__ >> 4 & 0x1; pDst->acbe_aci = tmp62__ >> 5 & 0x3; pDst->unused1 = tmp62__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp63__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbe_acwmin = tmp63__ >> 0 & 0xf; pDst->acbe_acwmax = tmp63__ >> 4 & 0xf; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->acbe_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp64__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5601,14 +6730,23 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, pDst->acbk_acm = tmp64__ >> 4 & 0x1; pDst->acbk_aci = tmp64__ >> 5 & 0x3; pDst->unused2 = tmp64__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp65__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbk_acwmin = tmp65__ >> 0 & 0xf; pDst->acbk_acwmax = tmp65__ >> 4 & 0xf; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->acbk_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp66__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5616,14 +6754,23 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, pDst->acvi_acm = tmp66__ >> 4 & 0x1; pDst->acvi_aci = tmp66__ >> 5 & 0x3; pDst->unused3 = tmp66__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp67__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvi_acwmin = tmp67__ >> 0 & 0xf; pDst->acvi_acwmax = tmp67__ >> 4 & 0xf; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->acvi_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp68__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5631,11 +6778,17 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, pDst->acvo_acm = tmp68__ >> 4 & 0x1; pDst->acvo_aci = tmp68__ >> 5 & 0x3; pDst->unused4 = tmp68__ >> 7 & 0x1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp69__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvo_acwmin = tmp69__ >> 0 & 0xf; pDst->acvo_acwmax = tmp69__ >> 4 & 0xf; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->acvo_txoplimit, pBuf, 0); (void)pCtx; return status; @@ -5655,6 +6808,9 @@ uint32_t dot11f_unpack_ie_wpa(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -5669,6 +6825,9 @@ uint32_t dot11f_unpack_ie_wpa(tpAniSirGlobal pCtx, return 0U; } else { pDst->multicast_cipher_present = 1U; + if (unlikely(ielen < 4)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->multicast_cipher, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; @@ -5678,10 +6837,16 @@ uint32_t dot11f_unpack_ie_wpa(tpAniSirGlobal pCtx, pDst->auth_suite_count = 0U; return 0U; } else { + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->unicast_cipher_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; } + if (unlikely(ielen < pDst->unicast_cipher_count * 4)) + return DOT11F_INCOMPLETE_IE; + if (pDst->unicast_cipher_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5694,10 +6859,16 @@ uint32_t dot11f_unpack_ie_wpa(tpAniSirGlobal pCtx, pDst->auth_suite_count = 0U; return 0U; } else { + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->auth_suite_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; } + if (unlikely(ielen < pDst->auth_suite_count * 4)) + return DOT11F_INCOMPLETE_IE; + if (pDst->auth_suite_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5709,6 +6880,9 @@ uint32_t dot11f_unpack_ie_wpa(tpAniSirGlobal pCtx, if (!ielen) { return 0U; } else { + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->caps, pBuf, 0); } (void)pCtx; @@ -6248,6 +7422,9 @@ uint32_t dot11f_unpack_ie_dh_parameter_element(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->group, pBuf, 2); pBuf += 2; ielen -= (uint8_t)2; @@ -6271,15 +7448,27 @@ uint32_t dot11f_unpack_ie_ext_chan_switch_ann(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->switch_mode = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->new_reg_class = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->new_channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->switch_count = *pBuf; (void)pCtx; return status; @@ -6299,6 +7488,9 @@ uint32_t dot11f_unpack_ie_fils_assoc_delay_info(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->assoc_delay_info = *pBuf; (void)pCtx; return status; @@ -6318,9 +7510,15 @@ uint32_t dot11f_unpack_ie_fils_hlp_container(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->dest_mac, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 6)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->src_mac, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; @@ -6345,6 +7543,9 @@ uint32_t dot11f_unpack_ie_fils_indication(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &tmp70__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -6377,6 +7578,9 @@ uint32_t dot11f_unpack_ie_fils_kde(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 8)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->key_rsc, pBuf, 8); pBuf += 8; ielen -= (uint8_t)8; @@ -6420,6 +7624,9 @@ uint32_t dot11f_unpack_ie_fils_nonce(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 16)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->nonce, pBuf, 16); (void)pCtx; return status; @@ -6439,6 +7646,9 @@ uint32_t dot11f_unpack_ie_fils_public_key(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->key_type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -6462,6 +7672,9 @@ uint32_t dot11f_unpack_ie_fils_session(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 8)) + return DOT11F_INCOMPLETE_IE; + DOT11F_MEMCPY(pCtx, pDst->session, pBuf, 8); (void)pCtx; return status; @@ -6522,6 +7735,9 @@ uint32_t dot11f_unpack_ie_hs20vendor_ie(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp71__ = *pBuf; pBuf += 1; ielen -= 1; @@ -6534,11 +7750,17 @@ uint32_t dot11f_unpack_ie_hs20vendor_ie(tpAniSirGlobal pCtx, } else { switch (pDst->hs_id_present) { case 1: + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->hs_id.pps_mo.pps_mo_id, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 2: + if (unlikely(ielen < 2)) + return DOT11F_INCOMPLETE_IE; + framesntohs(pCtx, &pDst->hs_id.anqp_domain.anqp_domain_id, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -6564,6 +7786,9 @@ uint32_t dot11f_unpack_ie_ht2040_bss_coexistence(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + tmp72__ = *pBuf; pDst->info_request = tmp72__ >> 0 & 0x1; pDst->forty_mhz_intolerant = tmp72__ >> 1 & 0x1; @@ -6589,6 +7814,9 @@ uint32_t dot11f_unpack_ie_ht2040_bss_intolerant_report(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->operating_class = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -6637,6 +7865,9 @@ uint32_t dot11f_unpack_ie_sec_chan_offset_ele(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->secondaryChannelOffset = *pBuf; (void)pCtx; return status; @@ -6671,6 +7902,9 @@ uint32_t dot11f_unpack_ie_vendor_vht_ie(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) + return DOT11F_INCOMPLETE_IE; + pDst->sub_type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -15063,6 +16297,9 @@ uint32_t dot11f_pack_tlv_version2(tpAniSirGlobal pCtx, tmp78__ = 0U; tmp78__ |= (pSrc->minor << 0); tmp78__ |= (pSrc->major << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp78__; *pnConsumed += 1; pBuf += 1; @@ -16032,6 +17269,9 @@ uint32_t dot11f_pack_tlv_version(tpAniSirGlobal pCtx, tmp79__ = 0U; tmp79__ |= (pSrc->minor << 0); tmp79__ |= (pSrc->major << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp79__; *pnConsumed += 1; pBuf += 1; @@ -16275,6 +17515,9 @@ uint32_t dot11f_pack_tlv_oce_cap(tpAniSirGlobal pCtx, tmp80__ |= (pSrc->is_sta_cfon << 3); tmp80__ |= (pSrc->non_oce_ap_present << 4); tmp80__ |= (pSrc->reserved << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp80__; *pnConsumed += 1; pBuf += 1; @@ -16309,6 +17552,9 @@ uint32_t dot11f_pack_tlv_reduced_wan_metrics(tpAniSirGlobal pCtx, tmp81__ = 0U; tmp81__ |= (pSrc->downlink_av_cap << 0); tmp81__ |= (pSrc->uplink_av_cap << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp81__; *pnConsumed += 1; pBuf += 1; @@ -16491,6 +17737,9 @@ uint32_t dot11f_pack_ie_gtk(tpAniSirGlobal pCtx, tmp82__ = 0U; tmp82__ |= (pSrc->keyId << 0); tmp82__ |= (pSrc->reserved << 2); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp82__, 0); *pnConsumed += 2; pBuf += 2; @@ -16922,6 +18171,9 @@ uint32_t dot11f_pack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, tmp83__ |= (pSrc->BeaconActive << 5); tmp83__ |= (pSrc->BeaconTable << 6); tmp83__ |= (pSrc->BeaconRepCond << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp83__; *pnConsumed += 1; pBuf += 1; @@ -16935,6 +18187,9 @@ uint32_t dot11f_pack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, tmp84__ |= (pSrc->LCIAzimuth << 5); tmp84__ |= (pSrc->TCMCapability << 6); tmp84__ |= (pSrc->triggeredTCM << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp84__; *pnConsumed += 1; pBuf += 1; @@ -16944,6 +18199,9 @@ uint32_t dot11f_pack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, tmp85__ |= (pSrc->RRMMIBEnabled << 1); tmp85__ |= (pSrc->operatingChanMax << 2); tmp85__ |= (pSrc->nonOperatinChanMax << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp85__; *pnConsumed += 1; pBuf += 1; @@ -16955,6 +18213,9 @@ uint32_t dot11f_pack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, tmp86__ |= (pSrc->RCPIMeasurement << 5); tmp86__ |= (pSrc->RSNIMeasurement << 6); tmp86__ |= (pSrc->BssAvgAccessDelay << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp86__; *pnConsumed += 1; pBuf += 1; @@ -16965,6 +18226,9 @@ uint32_t dot11f_pack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, tmp87__ |= (pSrc->fine_time_meas_rpt << 2); tmp87__ |= (pSrc->lci_capability << 3); tmp87__ |= (pSrc->reserved << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp87__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -17059,6 +18323,9 @@ uint32_t dot11f_pack_ie_schedule(tpAniSirGlobal pCtx, tmp88__ |= (pSrc->tsid << 1); tmp88__ |= (pSrc->direction << 5); tmp88__ |= (pSrc->reserved << 7); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp88__, 0); *pnConsumed += 2; pBuf += 2; @@ -17306,6 +18573,9 @@ uint32_t dot11f_pack_ie_tspec(tpAniSirGlobal pCtx, tmp89__ |= (pSrc->psb << 10); tmp89__ |= (pSrc->user_priority << 11); tmp89__ |= (pSrc->tsinfo_ack_pol << 14); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp89__, 0); *pnConsumed += 2; pBuf += 2; @@ -17313,6 +18583,9 @@ uint32_t dot11f_pack_ie_tspec(tpAniSirGlobal pCtx, tmp90__ = 0U; tmp90__ |= (pSrc->schedule << 0); tmp90__ |= (pSrc->unused << 1); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp90__; *pnConsumed += 1; pBuf += 1; @@ -17320,6 +18593,9 @@ uint32_t dot11f_pack_ie_tspec(tpAniSirGlobal pCtx, tmp91__ = 0U; tmp91__ |= (pSrc->size << 0); tmp91__ |= (pSrc->fixed << 15); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp91__, 0); *pnConsumed += 2; pBuf += 2; @@ -17416,6 +18692,9 @@ uint32_t dot11f_pack_ie_vht_caps(tpAniSirGlobal pCtx, tmp92__ |= (pSrc->rxAntPattern << 28); tmp92__ |= (pSrc->txAntPattern << 29); tmp92__ |= (pSrc->reserved1 << 30); + if (unlikely(nBuf < 4)) + return DOT11F_INCOMPLETE_IE; + frameshtonl(pCtx, pBuf, tmp92__, 0); *pnConsumed += 4; pBuf += 4; @@ -17426,6 +18705,9 @@ uint32_t dot11f_pack_ie_vht_caps(tpAniSirGlobal pCtx, tmp93__ = 0U; tmp93__ |= (pSrc->rxHighSupDataRate << 0); tmp93__ |= (pSrc->reserved2 << 13); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp93__, 0); *pnConsumed += 2; pBuf += 2; @@ -17436,6 +18718,9 @@ uint32_t dot11f_pack_ie_vht_caps(tpAniSirGlobal pCtx, tmp94__ = 0U; tmp94__ |= (pSrc->txSupDataRate << 0); tmp94__ |= (pSrc->reserved3 << 13); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp94__, 0); *pnConsumed += 2; /* fieldsEndFlag = 1 */ @@ -17523,6 +18808,9 @@ uint32_t dot11f_pack_ie_wmm_schedule(tpAniSirGlobal pCtx, tmp95__ |= (pSrc->tsid << 1); tmp95__ |= (pSrc->direction << 5); tmp95__ |= (pSrc->reserved << 7); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp95__, 0); *pnConsumed += 2; pBuf += 2; @@ -17790,6 +19078,9 @@ uint32_t dot11f_pack_ie_wmmtspec(tpAniSirGlobal pCtx, tmp96__ |= (pSrc->psb << 10); tmp96__ |= (pSrc->user_priority << 11); tmp96__ |= (pSrc->tsinfo_ack_pol << 14); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp96__, 0); *pnConsumed += 2; pBuf += 2; @@ -17797,6 +19088,9 @@ uint32_t dot11f_pack_ie_wmmtspec(tpAniSirGlobal pCtx, tmp97__ = 0U; tmp97__ |= (pSrc->tsinfo_rsvd << 0); tmp97__ |= (pSrc->burst_size_defn << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp97__; *pnConsumed += 1; pBuf += 1; @@ -17804,6 +19098,9 @@ uint32_t dot11f_pack_ie_wmmtspec(tpAniSirGlobal pCtx, tmp98__ = 0U; tmp98__ |= (pSrc->size << 0); tmp98__ |= (pSrc->fixed << 15); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp98__, 0); *pnConsumed += 2; pBuf += 2; @@ -17985,6 +19282,9 @@ uint32_t dot11f_pack_ie_neighbor_rpt(tpAniSirGlobal pCtx, tmp99__ |= (pSrc->QosCap << 5); tmp99__ |= (pSrc->apsd << 6); tmp99__ |= (pSrc->rrm << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp99__; *pnConsumed += 1; pBuf += 1; @@ -17994,6 +19294,9 @@ uint32_t dot11f_pack_ie_neighbor_rpt(tpAniSirGlobal pCtx, tmp100__ |= (pSrc->ImmBA << 1); tmp100__ |= (pSrc->MobilityDomain << 2); tmp100__ |= (pSrc->reserved << 3); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp100__; *pnConsumed += 1; pBuf += 1; @@ -18384,6 +19687,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp101__ |= (pSrc->acbe_acm << 4); tmp101__ |= (pSrc->acbe_aci << 5); tmp101__ |= (pSrc->unused1 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp101__; *pnConsumed += 1; pBuf += 1; @@ -18391,6 +19697,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp102__ = 0U; tmp102__ |= (pSrc->acbe_acwmin << 0); tmp102__ |= (pSrc->acbe_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp102__; *pnConsumed += 1; pBuf += 1; @@ -18403,6 +19712,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp103__ |= (pSrc->acbk_acm << 4); tmp103__ |= (pSrc->acbk_aci << 5); tmp103__ |= (pSrc->unused2 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp103__; *pnConsumed += 1; pBuf += 1; @@ -18410,6 +19722,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp104__ = 0U; tmp104__ |= (pSrc->acbk_acwmin << 0); tmp104__ |= (pSrc->acbk_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp104__; *pnConsumed += 1; pBuf += 1; @@ -18422,6 +19737,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp105__ |= (pSrc->acvi_acm << 4); tmp105__ |= (pSrc->acvi_aci << 5); tmp105__ |= (pSrc->unused3 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp105__; *pnConsumed += 1; pBuf += 1; @@ -18429,6 +19747,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp106__ = 0U; tmp106__ |= (pSrc->acvi_acwmin << 0); tmp106__ |= (pSrc->acvi_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp106__; *pnConsumed += 1; pBuf += 1; @@ -18441,6 +19762,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp107__ |= (pSrc->acvo_acm << 4); tmp107__ |= (pSrc->acvo_aci << 5); tmp107__ |= (pSrc->unused4 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp107__; *pnConsumed += 1; pBuf += 1; @@ -18448,6 +19772,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp108__ = 0U; tmp108__ |= (pSrc->acvo_acwmin << 0); tmp108__ |= (pSrc->acvo_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp108__; *pnConsumed += 1; pBuf += 1; @@ -18487,6 +19814,9 @@ uint32_t dot11f_pack_ie_erp_info(tpAniSirGlobal pCtx, tmp109__ |= (pSrc->use_prot << 1); tmp109__ |= (pSrc->barker_preamble << 2); tmp109__ |= (pSrc->unused << 3); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp109__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -18569,6 +19899,9 @@ uint32_t dot11f_pack_ie_ese_rad_mgmt_cap(tpAniSirGlobal pCtx, tmp110__ = 0U; tmp110__ |= (pSrc->mbssid_mask << 0); tmp110__ |= (pSrc->reserved << 3); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp110__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -18966,6 +20299,9 @@ uint32_t dot11f_pack_ie_ft_info(tpAniSirGlobal pCtx, tmp111__ = 0U; tmp111__ |= (pSrc->reserved << 0); tmp111__ |= (pSrc->IECount << 8); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp111__, 0); *pnConsumed += 2; pBuf += 2; @@ -19032,6 +20368,9 @@ uint32_t dot11f_pack_ie_ht_caps(tpAniSirGlobal pCtx, tmp112__ |= (pSrc->psmp << 13); tmp112__ |= (pSrc->stbcControlFrame << 14); tmp112__ |= (pSrc->lsigTXOPProtection << 15); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp112__, 0); *pnConsumed += 2; pBuf += 2; @@ -19040,6 +20379,9 @@ uint32_t dot11f_pack_ie_ht_caps(tpAniSirGlobal pCtx, tmp113__ |= (pSrc->maxRxAMPDUFactor << 0); tmp113__ |= (pSrc->mpduDensity << 2); tmp113__ |= (pSrc->reserved1 << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp113__; *pnConsumed += 1; pBuf += 1; @@ -19053,6 +20395,9 @@ uint32_t dot11f_pack_ie_ht_caps(tpAniSirGlobal pCtx, tmp114__ |= (pSrc->reserved2 << 3); tmp114__ |= (pSrc->mcsFeedback << 8); tmp114__ |= (pSrc->reserved3 << 10); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp114__, 0); *pnConsumed += 2; pBuf += 2; @@ -19074,6 +20419,9 @@ uint32_t dot11f_pack_ie_ht_caps(tpAniSirGlobal pCtx, tmp115__ |= (pSrc->uncompressedSteeringMatrixBFAntennae << 21); tmp115__ |= (pSrc->compressedSteeringMatrixBFAntennae << 23); tmp115__ |= (pSrc->reserved4 << 25); + if (unlikely(nBuf < 4)) + return DOT11F_INCOMPLETE_IE; + frameshtonl(pCtx, pBuf, tmp115__, 0); *pnConsumed += 4; pBuf += 4; @@ -19087,6 +20435,9 @@ uint32_t dot11f_pack_ie_ht_caps(tpAniSirGlobal pCtx, tmp116__ |= (pSrc->rxAS << 5); tmp116__ |= (pSrc->txSoundingPPDUs << 6); tmp116__ |= (pSrc->reserved5 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp116__; *pnConsumed += 1; pBuf += 1; @@ -19132,6 +20483,9 @@ uint32_t dot11f_pack_ie_ht_info(tpAniSirGlobal pCtx, tmp117__ |= (pSrc->rifsMode << 3); tmp117__ |= (pSrc->controlledAccessOnly << 4); tmp117__ |= (pSrc->serviceIntervalGranularity << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp117__; *pnConsumed += 1; pBuf += 1; @@ -19142,6 +20496,9 @@ uint32_t dot11f_pack_ie_ht_info(tpAniSirGlobal pCtx, tmp118__ |= (pSrc->transmitBurstLimit << 3); tmp118__ |= (pSrc->obssNonHTStaPresent << 4); tmp118__ |= (pSrc->reserved << 5); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp118__, 0); *pnConsumed += 2; pBuf += 2; @@ -19154,6 +20511,9 @@ uint32_t dot11f_pack_ie_ht_info(tpAniSirGlobal pCtx, tmp119__ |= (pSrc->pcoActive << 10); tmp119__ |= (pSrc->pcoPhase << 11); tmp119__ |= (pSrc->reserved2 << 12); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp119__, 0); *pnConsumed += 2; pBuf += 2; @@ -19316,6 +20676,9 @@ uint32_t dot11f_pack_ie_measurement_report(tpAniSirGlobal pCtx, tmp120__ |= (pSrc->incapable << 1); tmp120__ |= (pSrc->refused << 2); tmp120__ |= (pSrc->unused << 3); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp120__; *pnConsumed += 1; pBuf += 1; @@ -19342,6 +20705,9 @@ uint32_t dot11f_pack_ie_measurement_report(tpAniSirGlobal pCtx, tmp121__ |= (pSrc->report.Basic.rader << 3); tmp121__ |= (pSrc->report.Basic.unmeasured << 4); tmp121__ |= (pSrc->report.Basic.unused << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp121__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -19412,6 +20778,9 @@ uint32_t dot11f_pack_ie_measurement_report(tpAniSirGlobal pCtx, tmp122__ = 0U; tmp122__ |= (pSrc->report.Beacon.condensed_PHY << 0); tmp122__ |= (pSrc->report.Beacon.reported_frame_type << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp122__; *pnConsumed += 1; pBuf += 1; @@ -19483,6 +20852,9 @@ uint32_t dot11f_pack_ie_measurement_request(tpAniSirGlobal pCtx, tmp123__ |= (pSrc->report << 3); tmp123__ |= (pSrc->durationMandatory << 4); tmp123__ |= (pSrc->unused << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp123__; *pnConsumed += 1; pBuf += 1; @@ -19613,6 +20985,9 @@ uint32_t dot11f_pack_ie_mobility_domain(tpAniSirGlobal pCtx, tmp124__ |= (pSrc->overDSCap << 0); tmp124__ |= (pSrc->resourceReqCap << 1); tmp124__ |= (pSrc->reserved << 2); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp124__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -19659,6 +21034,9 @@ uint32_t dot11f_pack_ie_neighbor_report(tpAniSirGlobal pCtx, tmp125__ |= (pSrc->QosCap << 5); tmp125__ |= (pSrc->apsd << 6); tmp125__ |= (pSrc->rrm << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp125__; *pnConsumed += 1; pBuf += 1; @@ -19668,6 +21046,9 @@ uint32_t dot11f_pack_ie_neighbor_report(tpAniSirGlobal pCtx, tmp126__ |= (pSrc->ImmBA << 1); tmp126__ |= (pSrc->MobilityDomain << 2); tmp126__ |= (pSrc->reserved << 3); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp126__; *pnConsumed += 1; pBuf += 1; @@ -19770,6 +21151,9 @@ uint32_t dot11f_pack_ie_operating_mode(tpAniSirGlobal pCtx, tmp127__ |= (pSrc->reserved << 2); tmp127__ |= (pSrc->rxNSS << 4); tmp127__ |= (pSrc->rxNSSType << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp127__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -20260,6 +21644,9 @@ uint32_t dot11f_pack_ie_pu_buffer_status(tpAniSirGlobal pCtx, tmp128__ |= (pSrc->ac_vi_traffic_aval << 2); tmp128__ |= (pSrc->ac_vo_traffic_aval << 3); tmp128__ |= (pSrc->reserved << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp128__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -20468,6 +21855,9 @@ uint32_t dot11f_pack_ie_qos_caps_ap(tpAniSirGlobal pCtx, tmp129__ |= (pSrc->qreq << 5); tmp129__ |= (pSrc->txopreq << 6); tmp129__ |= (pSrc->reserved << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp129__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -20507,6 +21897,9 @@ uint32_t dot11f_pack_ie_qos_caps_station(tpAniSirGlobal pCtx, tmp130__ |= (pSrc->qack << 4); tmp130__ |= (pSrc->max_sp_length << 5); tmp130__ |= (pSrc->more_data_ack << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp130__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -21181,6 +22574,9 @@ uint32_t dot11f_pack_ie_wapi(tpAniSirGlobal pCtx, tmp131__ = 0U; tmp131__ |= (pSrc->preauth << 0); tmp131__ |= (pSrc->reserved << 1); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp131__, 0); *pnConsumed += 2; pBuf += 2; @@ -21349,6 +22745,9 @@ uint32_t dot11f_pack_ie_wmm_caps(tpAniSirGlobal pCtx, tmp132__ |= (pSrc->queue_request << 5); tmp132__ |= (pSrc->txop_request << 6); tmp132__ |= (pSrc->more_ack << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp132__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -21397,6 +22796,9 @@ uint32_t dot11f_pack_ie_wmm_info_ap(tpAniSirGlobal pCtx, tmp133__ |= (pSrc->param_set_count << 0); tmp133__ |= (pSrc->reserved << 4); tmp133__ |= (pSrc->uapsd << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp133__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -21449,6 +22851,9 @@ uint32_t dot11f_pack_ie_wmm_info_station(tpAniSirGlobal pCtx, tmp134__ |= (pSrc->reserved1 << 4); tmp134__ |= (pSrc->max_sp_length << 5); tmp134__ |= (pSrc->reserved2 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp134__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -21511,6 +22916,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp135__ |= (pSrc->acbe_acm << 4); tmp135__ |= (pSrc->acbe_aci << 5); tmp135__ |= (pSrc->unused1 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp135__; *pnConsumed += 1; pBuf += 1; @@ -21518,6 +22926,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp136__ = 0U; tmp136__ |= (pSrc->acbe_acwmin << 0); tmp136__ |= (pSrc->acbe_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp136__; *pnConsumed += 1; pBuf += 1; @@ -21530,6 +22941,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp137__ |= (pSrc->acbk_acm << 4); tmp137__ |= (pSrc->acbk_aci << 5); tmp137__ |= (pSrc->unused2 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp137__; *pnConsumed += 1; pBuf += 1; @@ -21537,6 +22951,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp138__ = 0U; tmp138__ |= (pSrc->acbk_acwmin << 0); tmp138__ |= (pSrc->acbk_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp138__; *pnConsumed += 1; pBuf += 1; @@ -21549,6 +22966,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp139__ |= (pSrc->acvi_acm << 4); tmp139__ |= (pSrc->acvi_aci << 5); tmp139__ |= (pSrc->unused3 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp139__; *pnConsumed += 1; pBuf += 1; @@ -21556,6 +22976,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp140__ = 0U; tmp140__ |= (pSrc->acvi_acwmin << 0); tmp140__ |= (pSrc->acvi_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp140__; *pnConsumed += 1; pBuf += 1; @@ -21568,6 +22991,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp141__ |= (pSrc->acvo_acm << 4); tmp141__ |= (pSrc->acvo_aci << 5); tmp141__ |= (pSrc->unused4 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp141__; *pnConsumed += 1; pBuf += 1; @@ -21575,6 +23001,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp142__ = 0U; tmp142__ |= (pSrc->acvo_acwmin << 0); tmp142__ |= (pSrc->acvo_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp142__; *pnConsumed += 1; pBuf += 1; @@ -22291,6 +23720,9 @@ uint32_t dot11f_pack_ie_fils_indication(tpAniSirGlobal pCtx, tmp143__ |= (pSrc->is_fils_sk_auth_pfs_supported << 10); tmp143__ |= (pSrc->is_pk_auth_supported << 11); tmp143__ |= (pSrc->reserved << 12); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp143__, 0); *pnConsumed += 2; pBuf += 2; @@ -22562,6 +23994,9 @@ uint32_t dot11f_pack_ie_hs20vendor_ie(tpAniSirGlobal pCtx, tmp144__ |= (pSrc->hs_id_present << 1); tmp144__ |= (pSrc->reserved << 3); tmp144__ |= (pSrc->release_num << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp144__; *pnConsumed += 1; pBuf += 1; @@ -22616,6 +24051,9 @@ uint32_t dot11f_pack_ie_ht2040_bss_coexistence(tpAniSirGlobal pCtx, tmp145__ |= (pSrc->obss_scan_exemption_req << 3); tmp145__ |= (pSrc->obss_scan_exemption_grant << 4); tmp145__ |= (pSrc->unused << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp145__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ |