diff options
| author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2022-04-28 17:36:03 +0800 |
|---|---|---|
| committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2022-04-28 17:36:03 +0800 |
| commit | 2d3ebdeabafe4fd0d62dc5352283c55534e2ad0d (patch) | |
| tree | ce981fe0dd5c4626a58255b4afdd612d09fe1ce0 | |
| parent | a0edefe438fdf7cd337cce66972e972205b6619c (diff) | |
| download | qcacld-2d3ebdeabafe4fd0d62dc5352283c55534e2ad0d.tar.gz | |
qcacld-3.0: Add checks for the assoc req/res lengths
In some case assos req/res length can be less than their respective
fixed fields due to which they get assigned to negative value
but as they are unsigned variable these req/res lengths gets convert
to large positive values. So during page memory allocation for these
lengths, page memory allocation failure happens.
To address the above issue add checks for both assoc req/res lenghts
before calculating the value for them.
Bug: 224424231
Test: UI pops up a msg when connecting to a wpa3-sae AP with wrong pwd
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
Change-Id: Iff404e72420b27bc2a467a25fe530f135ee97c91
CRs-Fixed: 2903644
| -rw-r--r-- | core/hdd/src/wlan_hdd_assoc.c | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/core/hdd/src/wlan_hdd_assoc.c b/core/hdd/src/wlan_hdd_assoc.c index 4ac687a95f..2badd954e6 100644 --- a/core/hdd/src/wlan_hdd_assoc.c +++ b/core/hdd/src/wlan_hdd_assoc.c @@ -3002,7 +3002,9 @@ hdd_association_completion_handler(struct hdd_adapter *adapter, (u8 *) (roam_info->pbFrames + roam_info->nBeaconLength + roam_info->nAssocReqLength); - if (assoc_rsp) { + if (assoc_rsp && + roam_info->nAssocRspLength > + ASSOC_RSP_IES_OFFSET) { /* * assoc_rsp needs to point to the IEs */ @@ -3021,7 +3023,9 @@ hdd_association_completion_handler(struct hdd_adapter *adapter, assoc_req = (u8 *) (roam_info->pbFrames + roam_info->nBeaconLength); if (assoc_req) { - if (!ft_carrier_on) { + if (!ft_carrier_on && + roam_info->nAssocReqLength > + ASSOC_REQ_IES_OFFSET) { /* * assoc_req needs to point to * the IEs @@ -3389,7 +3393,9 @@ hdd_association_completion_handler(struct hdd_adapter *adapter, assoc_req = (u8 *)(roam_info->pbFrames + roam_info->nBeaconLength); - if (assoc_req) { + if (assoc_req && + roam_info->nAssocReqLength > + ASSOC_REQ_IES_OFFSET) { /* * assoc_req needs to point to * the IEs @@ -3408,7 +3414,9 @@ hdd_association_completion_handler(struct hdd_adapter *adapter, (u8 *)(roam_info->pbFrames + roam_info->nBeaconLength + roam_info->nAssocReqLength); - if (assoc_rsp) { + if (assoc_rsp && + roam_info->nAssocRspLength > + ASSOC_RSP_IES_OFFSET) { /* * assoc_rsp needs to point to the IEs */ |