diff options
| author | razorloves <razorloves@gmail.com> | 2019-07-06 20:23:40 -0500 |
|---|---|---|
| committer | razorloves <razorloves@gmail.com> | 2019-07-06 20:23:40 -0500 |
| commit | 935c8dd0f5a4c5df3b447dbfb40427275fe9c12d (patch) | |
| tree | 0344050ec72839114cf97779783570e32c29f7ae /drivers | |
| parent | 4f3ee8b00b044ab6c07d624bf662e1daa4c5f00d (diff) | |
| parent | a2426c4f8f23a3c14d387d50251de176be4d5b1a (diff) | |
July 2019 PQ3A.190705.001
2a53f55 dsp: asm: Add check for num_channels before calling q6asm_map_channels
b9e963d qcacld-2.0: Fix possible OOB access in limProcessDisassocFrame
0da2144 qcacld-2.0: Fix possible integer underflow in cfg80211_rx_mgmt
29f93f4 dsp: validate token before usage as array index
6ef3b69 qcacld-2.0: Fix OOB read in sme_RrmProcessBeaconReportReqInd
Diffstat (limited to 'drivers')
3 files changed, 19 insertions, 4 deletions
diff --git a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c index d0a4fc9b1ad..430b9f4f9e1 100644 --- a/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c +++ b/drivers/staging/qcacld-2.0/CORE/HDD/src/wlan_hdd_main.c @@ -3612,6 +3612,8 @@ void hdd_indicate_mgmt_frame(tSirSmeMgmtFrameInd *frame_ind) hdd_adapter_t *adapter; v_CONTEXT_t vos_context; int i; + struct ieee80211_mgmt *mgmt = + (struct ieee80211_mgmt *)frame_ind->frameBuf; /* Get the global VOSS context.*/ vos_context = vos_get_global_context(VOS_MODULE_ID_SYS, NULL); @@ -3626,6 +3628,11 @@ void hdd_indicate_mgmt_frame(tSirSmeMgmtFrameInd *frame_ind) if (0 != wlan_hdd_validate_context(hdd_ctx)) return; + if (frame_ind->frame_len < ieee80211_hdrlen(mgmt->frame_control)) { + hddLog(LOGE, FL("Invalid frame length")); + return; + } + if (HDD_SESSION_ID_ANY == frame_ind->sessionId) { for (i = 0; i < HDD_SESSION_MAX; i++) { adapter = diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c index 7de95743d5a..81c9f0ae3c3 100644 --- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c +++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c @@ -78,13 +78,13 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession tpSirMacMgmtHdr pHdr; tpDphHashNode pStaDs; tLimMlmDisassocInd mlmDisassocInd; -#ifdef WLAN_FEATURE_11W + tANI_U32 frameLen; -#endif int8_t frame_rssi; pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo); + frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); frame_rssi = (int8_t)WDA_GET_RX_RSSI_NORMALIZED(pRxPacketInfo); if (limIsGroupAddr(pHdr->sa)) @@ -126,7 +126,6 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession return; } - #ifdef WLAN_FEATURE_11W /* PMF: If this session is a PMF session, then ensure that this frame was protected */ if(psessionEntry->limRmfEnabled && (WDA_GET_RX_DPU_FEEDBACK(pRxPacketInfo) & DPU_FEEDBACK_UNPROTECTED_ERROR)) @@ -134,7 +133,6 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession PELOGE(limLog(pMac, LOGE, FL("received an unprotected disassoc from AP"));) // If the frame received is unprotected, forward it to the supplicant to initiate // an SA query - frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); //send the unprotected frame indication to SME limSendSmeUnprotectedMgmtFrameInd( pMac, pHdr->fc.subType, (tANI_U8*)pHdr, (frameLen + sizeof(tSirMacMgmtHdr)), @@ -143,6 +141,10 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession } #endif + if (frameLen < 2) { + PELOGE(limLog(pMac, LOGE, FL("frame len less than 2"));) + return; + } // Get reasonCode from Disassociation frame body reasonCode = sirReadU16(pBody); diff --git a/drivers/staging/qcacld-2.0/CORE/SME/src/rrm/sme_rrm.c b/drivers/staging/qcacld-2.0/CORE/SME/src/rrm/sme_rrm.c index dc0565558d7..75eae5f43c8 100644 --- a/drivers/staging/qcacld-2.0/CORE/SME/src/rrm/sme_rrm.c +++ b/drivers/staging/qcacld-2.0/CORE/SME/src/rrm/sme_rrm.c @@ -900,6 +900,12 @@ eHalStatus sme_RrmProcessBeaconReportReqInd(tpAniSirGlobal pMac, void *pMsgBuf) #if defined WLAN_VOWIFI_DEBUG smsLog( pMac, LOGE, "Received Beacon report request ind Channel = %d", pBeaconReq->channelInfo.channelNum ); #endif + + if (pBeaconReq->channelList.numChannels > SIR_ESE_MAX_MEAS_IE_REQS) { + smsLog( pMac, LOGP, "Beacon report request numChannels: %u exceeds " + "max num channels", pBeaconReq->channelList.numChannels); + return eHAL_STATUS_FAILURE; + } //section 11.10.8.1 (IEEE Std 802.11k-2008) //channel 0 and 255 has special meaning. if( (pBeaconReq->channelInfo.channelNum == 0) || |