diff options
author | SecurityBot AutoMerger <android-nexus-securitybot@system.gserviceaccount.com> | 2020-06-08 16:20:52 -0700 |
---|---|---|
committer | SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> | 2020-06-08 16:20:53 -0700 |
commit | e93c969b99c7cfb8d3533fa3acb50be9e65a1d25 (patch) | |
tree | 01a852fe72407f82b5e9f27df1a68e0857185c7e | |
parent | aa076ee9c69e4e294295635e964c1d75e2f4f138 (diff) | |
parent | 9e6fe3400564dc0f10e82ce91591ee6f46bc0170 (diff) | |
download | qcacld-e93c969b99c7cfb8d3533fa3acb50be9e65a1d25.tar.gz |
Merge android-msm-pixel-4.9-qt-qpr2 into android-msm-pixel-4.9-qt-qpr3android-10.0.0_r0.79android-10.0.0_r0.77android-msm-crosshatch-4.9-android10-qpr3android-msm-bonito-4.9-android10-qpr3
SBMerger: 284775313
Change-Id: Iced89e0c48cf34e4d49071832c9c692cbe46b4af
Signed-off-by: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>
-rw-r--r-- | core/hdd/src/wlan_hdd_assoc.c | 16 | ||||
-rw-r--r-- | core/mac/src/pe/rrm/rrm_api.c | 16 |
2 files changed, 21 insertions, 11 deletions
diff --git a/core/hdd/src/wlan_hdd_assoc.c b/core/hdd/src/wlan_hdd_assoc.c index b543894b5a..ef43e194dd 100644 --- a/core/hdd/src/wlan_hdd_assoc.c +++ b/core/hdd/src/wlan_hdd_assoc.c @@ -1076,8 +1076,9 @@ hdd_send_ft_assoc_response(struct net_device *dev, unsigned int len = 0; u8 *pFTAssocRsp = NULL; - if (pCsrRoamInfo->nAssocRspLength == 0) { - hdd_debug("assoc rsp length is 0"); + if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) { + hdd_debug("Invalid assoc rsp length %d", + pCsrRoamInfo->nAssocRspLength); return; } @@ -1094,15 +1095,20 @@ hdd_send_ft_assoc_response(struct net_device *dev, (unsigned int)pFTAssocRsp[0], (unsigned int)pFTAssocRsp[1]); + /* Send the Assoc Resp, the supplicant needs this for initial Auth. */ + len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; + if (len > IW_GENERIC_IE_MAX) { + hdd_err("Invalid Assoc resp length %d", len); + return; + } + wrqu.data.length = len; + /* We need to send the IEs to the supplicant. */ buff = qdf_mem_malloc(IW_GENERIC_IE_MAX); if (buff == NULL) { hdd_err("unable to allocate memory"); return; } - /* Send the Assoc Resp, the supplicant needs this for initial Auth. */ - len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; - wrqu.data.length = len; memcpy(buff, pFTAssocRsp, len); wireless_send_event(dev, IWEVASSOCRESPIE, &wrqu, buff); diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c index 5854929c25..da3a4c628b 100644 --- a/core/mac/src/pe/rrm/rrm_api.c +++ b/core/mac/src/pe/rrm/rrm_api.c @@ -1,8 +1,5 @@ /* - * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. - * - * Previously licensed under the ISC license by Qualcomm Atheros, Inc. - * + * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -732,11 +729,18 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac, *pNumIes += sizeof(uint16_t); pIes += sizeof(uint16_t); - while (BcnNumIes > 0) { - len = *(pBcnIes + 1) + 2; /* element id + length. */ + while (BcnNumIes >= 2) { + len = *(pBcnIes + 1); + len += 2; /* element id + length. */ pe_debug("EID = %d, len = %d total = %d", *pBcnIes, *(pBcnIes + 1), len); + if (BcnNumIes < len) { + pe_err("RRM: Invalid IE len:%d exp_len:%d", + len, BcnNumIes); + break; + } + i = 0; do { if (((eids == NULL) || (*pBcnIes == eids[i])) && |