diff options
| author | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | 2019-11-21 18:57:55 +0530 |
|---|---|---|
| committer | Sunil Ravi <sunilravi@google.com> | 2019-11-21 12:51:30 -0800 |
| commit | 03ed8a8ce5b6d7e9e940c188b3c045ceb81aa2fe (patch) | |
| tree | 22c641dc8cef0cfb97b8d4f2c70547262560313f | |
| parent | 7f51da62839029839fc0c3d3a11306f95d1c4942 (diff) | |
| download | qcacld-03ed8a8ce5b6d7e9e940c188b3c045ceb81aa2fe.tar.gz | |
qcacld-3.0: Validate number of requested EIDs in beacon requestandroid-10.0.0_r0.40android-10.0.0_r0.38android-10.0.0_r0.34android-10.0.0_r0.33android-msm-crosshatch-4.9-android10-qpr1android-msm-bonito-4.9-android10-qpr1
If the requested info field in beacon report request is present,
the driver tries to allocate memory for the target beacon report
EIDs from the number of requested EIDs received from the frame.
Since the number of requested EIDs is directly controlled by the
frame sent by AP, validate this value before using it to allocate
memory.
Bug: 144843138
Change-Id: Icbac3e952de0d7ae3144e9b319f2c51ccdf93ac5
CRs-Fixed: 2571480
Signed-off-by: Sunil Ravi <sunilravi@google.com>
| -rw-r--r-- | core/mac/src/pe/rrm/rrm_api.c | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/core/mac/src/pe/rrm/rrm_api.c b/core/mac/src/pe/rrm/rrm_api.c index 6c351e8d13..a1f2586feb 100644 --- a/core/mac/src/pe/rrm/rrm_api.c +++ b/core/mac/src/pe/rrm/rrm_api.c @@ -570,6 +570,11 @@ rrm_process_beacon_report_req(tpAniSirGlobal pMac, reportingDetail : BEACON_REPORTING_DETAIL_ALL_FF_IE; if (pBeaconReq->measurement_request.Beacon.RequestedInfo.present) { + if (!pBeaconReq->measurement_request.Beacon.RequestedInfo. + num_requested_eids) { + pe_debug("802.11k BCN RPT: Requested num of EID is 0"); + return eRRM_FAILURE; + } pCurrentReq->request.Beacon.reqIes.pElementIds = qdf_mem_malloc(sizeof(uint8_t) * pBeaconReq->measurement_request.Beacon. @@ -578,6 +583,7 @@ rrm_process_beacon_report_req(tpAniSirGlobal pMac, pe_err("Unable to allocate memory for request IEs buffer"); return eRRM_FAILURE; } + pCurrentReq->request.Beacon.reqIes.num = pBeaconReq->measurement_request.Beacon.RequestedInfo. num_requested_eids; @@ -585,6 +591,11 @@ rrm_process_beacon_report_req(tpAniSirGlobal pMac, pBeaconReq->measurement_request.Beacon. RequestedInfo.requested_eids, pCurrentReq->request.Beacon.reqIes.num); + pe_debug("802.11k BCN RPT: Requested EIDs: num:[%d]", + pCurrentReq->request.Beacon.reqIes.num); + QDF_TRACE_HEX_DUMP(QDF_MODULE_ID_PE, QDF_TRACE_LEVEL_DEBUG, + pCurrentReq->request.Beacon.reqIes.pElementIds, + pCurrentReq->request.Beacon.reqIes.num); } if (pBeaconReq->measurement_request.Beacon.num_APChannelReport) { |