summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorHsiu-Chang Chen <hsiuchangchen@google.com>2024-02-19 14:03:18 +0800
committerHsiu-Chang Chen <hsiuchangchen@google.com>2024-02-19 07:21:28 +0000
commitdbcdeb2032f17534848957448a1b6fde5ada1c8e (patch)
tree34b1d93c12038e493e902ec06c358adc44303f1f
parent049759cf3ea8ec9cd0c506a59e068a042732b221 (diff)
downloadqca-wfi-host-cmn-android-msm-redbull-4.19-android14-qpr3-beta.tar.gz
qcacmn: Fix OOB issueandroid-u-qpr3-beta-2.1_r0.6android-msm-redbull-4.19-android14-qpr3-beta
Changes to fix OOB issue seen util_scan_parse_beacon_frame. Bug: 323926776 Test: Regression Test Change-Id: I53244be54d31e87b55d0b44ce94315c8001f417d CRs-Fixed: 3582496 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Diffstat
-rw-r--r--umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h3
-rw-r--r--umac/scan/dispatcher/src/wlan_scan_utils_api.c3
2 files changed, 6 insertions, 0 deletions
diff --git a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
index d8d688e58..34e4f5ebd 100644
--- a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
+++ b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h
@@ -146,6 +146,9 @@
/* Max channel switch time IE length */
#define WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN 4
+#define WLAN_MIN_HECAP_IE_LEN 22
+#define WLAN_MAX_HECAP_IE_LEN 55
+
/* HT capability flags */
#define WLAN_HTCAP_C_ADVCODING 0x0001
#define WLAN_HTCAP_C_CHWIDTH40 0x0002
diff --git a/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
index 655af7cf2..62e8e00e3 100644
--- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c
@@ -433,6 +433,9 @@ util_scan_parse_extn_ie(struct scan_cache_entry *scan_params,
scan_params->ie_list.srp = (uint8_t *)ie;
break;
case WLAN_EXTN_ELEMID_HECAP:
+ if ((extn_ie->ie_len < WLAN_MIN_HECAP_IE_LEN) ||
+ (extn_ie->ie_len > WLAN_MAX_HECAP_IE_LEN))
+ return QDF_STATUS_E_INVAL;
scan_params->ie_list.hecap = (uint8_t *)ie;
break;
case WLAN_EXTN_ELEMID_HEOP:
generated by cgit v1.2.3 (git 2.25.1) at 2024-05-07 22:23:16 +0000