Merge tag 'LA.UM.7.2.c26-04600-sdm660.0' of https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0 into lineage-18.1-caf-msm8998

"LA.UM.7.2.c26-04600-sdm660.0"

* tag 'LA.UM.7.2.c26-04600-sdm660.0' of https://source.codeaurora.org/quic/la/platform/vendor/qcom-opensource/wlan/qcacld-3.0:
  qcacld-3.0: Avoid OOB read in sch_get_csa_ecsa_count_offset
  qcacld-3.0: Avoid OOB read in dot11f_unpack_assoc_response
  qcacld-3.0: Fix possible OOB in unpack_tlv_core

 Conflicts:
	drivers/staging/qcacld-3.0/core/mac/src/include/dot11f.h
	drivers/staging/qcacld-3.0/core/mac/src/pe/sch/sch_beacon_gen.c
	drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/dot11f.c

Change-Id: Ic0b8bb38e3d1d2be465d0dd3cb64c777400bfebc

3 files changed, 21 insertions, 12 deletions

diff --git a/drivers/staging/qcacld-3.0/core/mac/src/include/dot11f.h b/drivers/staging/qcacld-3.0/core/mac/src/include/dot11f.h
index 8c16f417604e..1a603f547d7f 100644
--- a/drivers/staging/qcacld-3.0/core/mac/src/include/dot11f.h
+++ b/drivers/staging/qcacld-3.0/core/mac/src/include/dot11f.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -26,7 +26,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Mon Mar 25 14:48:07 2019 from the following file(s):
+ * Wed Sep 29 13:23:21 2021 from the following file(s):
  *
  * dot11f.frms
  *
diff --git a/drivers/staging/qcacld-3.0/core/mac/src/pe/sch/sch_beacon_gen.c b/drivers/staging/qcacld-3.0/core/mac/src/pe/sch/sch_beacon_gen.c
index 511b07cf699f..e037e45c9faa 100644
--- a/drivers/staging/qcacld-3.0/core/mac/src/pe/sch/sch_beacon_gen.c
+++ b/drivers/staging/qcacld-3.0/core/mac/src/pe/sch/sch_beacon_gen.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -156,7 +156,7 @@ sch_append_addn_ie(tpAniSirGlobal mac_ctx, tpPESession session,
 
 /**
  * sch_get_csa_ecsa_count_offset() - get the offset of Switch count field
- * @ie: pointer to the beggining of IEs in the beacon frame buffer
+ * @ie: pointer to the beginning of IEs in the beacon frame buffer
  * @ie_len: length of the IEs in the buffer
  * @csa_count_offset: pointer to the csa_count_offset variable in the caller
  * @ecsa_count_offset: pointer to the ecsa_count_offset variable in the caller
@@ -195,6 +195,9 @@ static void sch_get_csa_ecsa_count_offset(uint8_t *ie, uint32_t ie_len,
 			*ecsa_count_offset = offset +
 					SCH_ECSA_SWITCH_COUNT_OFFSET;
 
+		if (ie_len < elem_len)
+			return;
+
 		ie_len -= elem_len;
 		offset += elem_len;
 		ptr += (elem_len + 2);
diff --git a/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/dot11f.c
index 391d1b8801eb..55781cf9a8e0 100644
--- a/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+++ b/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/dot11f.c
@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.
  *
  * Permission to use, copy, modify, and/or distribute this software for
  * any purpose with or without fee is hereby granted, provided that the
@@ -24,7 +24,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Mon Mar 25 14:48:07 2019 from the following file(s):
+ * Wed Sep 29 13:23:21 2021 from the following file(s):
  *
  * dot11f.frms
  *
@@ -335,7 +335,7 @@ static uint32_t get_container_ies_len(tpAniSirGlobal pCtx,
 	len += *(pBufRemaining+1);
 	pBufRemaining += len + 2;
 	len += 2;
-	while (len < nBuf) {
+	while (len + 1 < nBuf) {
 		pIe = find_ie_defn(pCtx, pBufRemaining, nBuf - len, IEs);
 		if (NULL == pIe)
 			break;
@@ -13659,25 +13659,30 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal   pCtx,
 			}
 			/* & length, */
 			if (pTlv->sLen == 2) {
-				framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
 				if (2 > nBufRemaining) {
 					FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "
 							"fewer two byte(s) remaining.\n"));
 					status |= DOT11F_INCOMPLETE_TLV;
 					FRAMES_DBG_BREAK();
 					goto MandatoryCheck;
-			}
-			pBufRemaining += 2;
-			nBufRemaining -= 2;
+				}
+				framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
+				pBufRemaining += 2;
+				nBufRemaining -= 2;
 			} else {
 				len = *pBufRemaining;
 				pBufRemaining += 1;
 				nBufRemaining -= 1;
 			}
 		} else {
+			if (TLVs[0].sType > nBufRemaining) {
+				FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "
+					     "fewer LVs[0].sType byte(s) remaining.\n"));
+				status |= DOT11F_INCOMPLETE_TLV;
+				goto MandatoryCheck;
+			}
 			pBufRemaining += TLVs[0].sType;
 			nBufRemaining -= TLVs[0].sType;
-			framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
 			if (2 > nBufRemaining) {
 				FRAMES_LOG0(pCtx, FRLOGE, FRFL("This frame reports "
 					     "fewer two byte(s) remaining.\n"));
@@ -13685,6 +13690,7 @@ static uint32_t unpack_tlv_core(tpAniSirGlobal   pCtx,
 				FRAMES_DBG_BREAK();
 				goto MandatoryCheck;
 			}
+			framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
 			pBufRemaining += 2;
 			nBufRemaining -= 2;
 		}