qcacld-3.0: Fix array OOB for duplicate rate

Some IoT AP may have duplicate rates in supported rates and extended rates in beacon, need filter them when populate peer 11a/11b rates during connect/roaming, or array out of bound issue will happen. Change-Id: I685e8c07ee147296bfa22742dad4210e7fa02c4a CRs-Fixed: 3048142 Bug: 211125453 Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
author: Jianmin Zhu <quic_jianminz@quicinc.com> 2021-12-15 20:49:06 +0800
committer: Paul Chen <chenpaul@google.com> 2022-05-12 10:05:08 +0000
commit: f49181183168fcda546e61afa237bc02242998fd (patch)
tree: 2b6bcc2d9f400a847c12e43ee3d413b94b07e747
parent: 28d78f8fec1cc98d6157b8213d8a8573895a6ff7 (diff)
download: qcacld-f49181183168fcda546e61afa237bc02242998fd.tar.gz
1 files changed, 43 insertions, 40 deletions
diff --git a/core/mac/src/pe/lim/lim_assoc_utils.c b/core/mac/src/pe/lim/lim_assoc_utils.c
index 1323592060..3ed82c7b70 100644
--- a/core/mac/src/pe/lim/lim_assoc_utils.c
+++ b/core/mac/src/pe/lim/lim_assoc_utils.c
@@ -1660,7 +1660,9 @@ lim_populate_peer_rate_set(tpAniSirGlobal pMac,
 {
 	tSirMacRateSet tempRateSet;
 	tSirMacRateSet tempRateSet2;
-	uint32_t i, j, val, min, isArate = 0;
+	uint32_t i, j, val, min;
+	uint8_t aRateIndex = 0;
+	uint8_t bRateIndex = 0;
 
 	/* copy operational rate set from psessionEntry */
 	if (psessionEntry->rateSet.numRates <= SIR_MAC_RATESET_EID_MAX) {
@@ -1705,51 +1707,52 @@ lim_populate_peer_rate_set(tpAniSirGlobal pMac,
 	 * Sort rates in tempRateSet (they are likely to be already sorted)
 	 * put the result in pSupportedRates
 	 */
-	{
-		uint8_t aRateIndex = 0;
-		uint8_t bRateIndex = 0;
-
-		qdf_mem_zero((uint8_t *) pRates, sizeof(tSirSupportedRates));
-		for (i = 0; i < tempRateSet.numRates; i++) {
-			min = 0;
-			val = 0xff;
-			isArate = 0;
-			for (j = 0;
-			     (j < tempRateSet.numRates)
-			     && (j < SIR_MAC_RATESET_EID_MAX); j++) {
-				if ((uint32_t) (tempRateSet.rate[j] & 0x7f) <
-				    val) {
-					val = tempRateSet.rate[j] & 0x7f;
-					min = j;
-				}
+	qdf_mem_zero((uint8_t *)pRates, sizeof(tSirSupportedRates));
+	for (i = 0; i < tempRateSet.numRates; i++) {
+		min = 0;
+		val = 0xff;
+		for (j = 0; (j < tempRateSet.numRates)
+					&& (j < SIR_MAC_RATESET_EID_MAX); j++) {
+			if ((uint32_t)(tempRateSet.rate[j] & 0x7f) < val) {
+				val = tempRateSet.rate[j] & 0x7f;
+				min = j;
 			}
-			if (sirIsArate(tempRateSet.rate[min] & 0x7f))
-				isArate = 1;
-			/*
-			 * HAL needs to know whether the rate is basic rate or not, as it needs to
-			 * update the response rate table accordingly. e.g. if one of the 11a rates is
-			 * basic rate, then that rate can be used for sending control frames.
-			 * HAL updates the response rate table whenever basic rate set is changed.
-			 */
-			if (basicOnly) {
-				if (tempRateSet.rate[min] & 0x80) {
-					if (isArate)
-						pRates->llaRates[aRateIndex++] =
-							tempRateSet.rate[min];
-					else
-						pRates->llbRates[bRateIndex++] =
-							tempRateSet.rate[min];
-				}
+		}
+		/*
+		 * HAL needs to know whether the rate is basic rate or not, as it needs to
+		 * update the response rate table accordingly. e.g. if one of the 11a rates is
+		 * basic rate, then that rate can be used for sending control frames.
+		 * HAL updates the response rate table whenever basic rate set is changed.
+		 */
+		if (basicOnly && !(tempRateSet.rate[min] & 0x80)) {
+			pe_debug("Invalid basic rate");
+		} else if (sirIsArate(tempRateSet.rate[min] & 0x7f)) {
+			if (aRateIndex >= SIR_NUM_11A_RATES) {
+				pe_debug("OOB, aRateIndex: %d", aRateIndex);
+			} else if (aRateIndex >= 1 && (tempRateSet.rate[min] ==
+				   pRates->llaRates[aRateIndex - 1])) {
+				pe_debug("Duplicate 11a rate: %d",
+					 tempRateSet.rate[min]);
 			} else {
-				if (isArate)
-					pRates->llaRates[aRateIndex++] =
+				pRates->llaRates[aRateIndex++] =
 						tempRateSet.rate[min];
-				else
-					pRates->llbRates[bRateIndex++] =
+			}
+		} else if (sirIsBrate(tempRateSet.rate[min] & 0x7f)) {
+			if (bRateIndex >= SIR_NUM_11B_RATES) {
+				pe_debug("OOB, bRateIndex: %d", bRateIndex);
+			} else if (bRateIndex >= 1 && (tempRateSet.rate[min] ==
+				   pRates->llbRates[bRateIndex - 1])) {
+				pe_debug("Duplicate 11b rate: %d",
+					 tempRateSet.rate[min]);
+			} else {
+				pRates->llbRates[bRateIndex++] =
 						tempRateSet.rate[min];
 			}
-			tempRateSet.rate[min] = 0xff;
+		} else {
+			pe_debug("%d is neither 11a nor 11b rate",
+				 tempRateSet.rate[min]);
 		}
+		tempRateSet.rate[min] = 0xff;
 	}
 
 	if (IS_DOT11_MODE_HT(psessionEntry->dot11mode)) {
author	Jianmin Zhu <quic_jianminz@quicinc.com>	2021-12-15 20:49:06 +0800
committer	Paul Chen <chenpaul@google.com>	2022-05-12 10:05:08 +0000
commit	f49181183168fcda546e61afa237bc02242998fd (patch)
tree	2b6bcc2d9f400a847c12e43ee3d413b94b07e747
parent	28d78f8fec1cc98d6157b8213d8a8573895a6ff7 (diff)
download	qcacld-f49181183168fcda546e61afa237bc02242998fd.tar.gz