diff options
author | Harrison Lingren <hlingren@google.com> | 2020-06-05 14:13:43 -0700 |
---|---|---|
committer | Harrison Lingren <hlingren@google.com> | 2020-06-05 21:43:46 +0000 |
commit | ae55a6e8546070f4f0d666aa668039d2ccda715d (patch) | |
tree | 4d8b764a3c7bed8e34ac9bd1472ce4288653c632 | |
parent | a2b31c76ff9609997e81d3f88601a9dd10debcc2 (diff) | |
parent | 6b04742bda039bd3a19858f8c05cf92d95a67a82 (diff) | |
download | qcacld-ae55a6e8546070f4f0d666aa668039d2ccda715d.tar.gz |
Merge branch 'android-msm-pixel-4.9-qt-security-next' into android-msm-pixel-4.9-qt
AUG 2020.1
Bug: 157954141
Signed-off-by: Harrison Lingren <hlingren@google.com>
Change-Id: I78b3bf5fcd9d56f26dc22d6b2b1c12f6b89c3309
-rw-r--r-- | core/hdd/src/wlan_hdd_assoc.c | 16 | ||||
-rw-r--r-- | core/mac/src/pe/rrm/rrm_api.c | 16 |
2 files changed, 21 insertions, 11 deletions
diff --git a/core/hdd/src/wlan_hdd_assoc.c b/core/hdd/src/wlan_hdd_assoc.c index b543894b5a..ef43e194dd 100644 --- a/core/hdd/src/wlan_hdd_assoc.c +++ b/core/hdd/src/wlan_hdd_assoc.c @@ -1076,8 +1076,9 @@ hdd_send_ft_assoc_response(struct net_device *dev, unsigned int len = 0; u8 *pFTAssocRsp = NULL; - if (pCsrRoamInfo->nAssocRspLength == 0) { - hdd_debug("assoc rsp length is 0"); + if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) { + hdd_debug("Invalid assoc rsp length %d", + pCsrRoamInfo->nAssocRspLength); return; } @@ -1094,15 +1095,20 @@ hdd_send_ft_assoc_response(struct net_device *dev, (unsigned int)pFTAssocRsp[0], (unsigned int)pFTAssocRsp[1]); + /* Send the Assoc Resp, the supplicant needs this for initial Auth. */ + len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; + if (len > IW_GENERIC_IE_MAX) { + hdd_err("Invalid Assoc resp length %d", len); + return; + } + wrqu.data.length = len; + /* We need to send the IEs to the supplicant. */ buff = qdf_mem_malloc(IW_GENERIC_IE_MAX); if (buff == NULL) { hdd_err("unable to allocate memory"); return; } - /* Send the Assoc Resp, the supplicant needs this for initial Auth. */ - len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET; - wrqu.data.length = len; memcpy(buff, pFTAssocRsp, len); wireless_send_event(dev, IWEVASSOCRESPIE, &wrqu, buff); diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c index 3ca467f57b..838d584015 100644 --- a/core/mac/src/pe/rrm/rrm_api.c +++ b/core/mac/src/pe/rrm/rrm_api.c @@ -1,8 +1,5 @@ /* - * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. - * - * Previously licensed under the ISC license by Qualcomm Atheros, Inc. - * + * Copyright (c) 2012-2020 The Linux Foundation. All rights reserved. * * Permission to use, copy, modify, and/or distribute this software for * any purpose with or without fee is hereby granted, provided that the @@ -721,11 +718,18 @@ rrm_fill_beacon_ies(tpAniSirGlobal pMac, *pNumIes += sizeof(uint16_t); pIes += sizeof(uint16_t); - while (BcnNumIes > 0) { - len = *(pBcnIes + 1) + 2; /* element id + length. */ + while (BcnNumIes >= 2) { + len = *(pBcnIes + 1); + len += 2; /* element id + length. */ pe_debug("EID = %d, len = %d total = %d", *pBcnIes, *(pBcnIes + 1), len); + if (BcnNumIes < len) { + pe_err("RRM: Invalid IE len:%d exp_len:%d", + len, BcnNumIes); + break; + } + i = 0; do { if (((eids == NULL) || (*pBcnIes == eids[i])) && |