diff options
author | Srinivas Girigowda <sgirigow@codeaurora.org> | 2018-05-29 14:11:53 -0700 |
---|---|---|
committer | Srinivas Girigowda <sgirigow@codeaurora.org> | 2018-05-29 14:12:50 -0700 |
commit | 18be19974f2d830691fb4d11a6474f7f29ab6c9c (patch) | |
tree | b3b685899d9edbe138e8762e50a40cdbfd956b97 /core/wma/src/wma_mgmt.c | |
parent | d048a5bcf03239a005407a30fc39da46dc3d7ce0 (diff) | |
download | qcacld-18be19974f2d830691fb4d11a6474f7f29ab6c9c.tar.gz |
qcacld-3.0: Release 5.3.1.1L
43ea0b0 qcacld-3.0: Dont pass source argument as nla_data to nla_memcpy
193fd1a Release 5.3.1.1L
fc0db5e qcacld-3.0: Use request manager API for RCPI feature
03e6ec8 qcacld-3.0: Add per-chain RSSI prints in WMA layer
06cc9ce qcacld-3.0: Add a NULL check on channels in IOCTL SETROAMSCANCHANNELS
c10d8aa qcacld-3.0: Fix buffer overwrite in csr_roam_diag_joined_new_bss()
bd75dc7 qcacld-3.0: Fix buffer overwrite in lim_mlm_add_bss()
325214e qcacld-3.0: Fix NULL acs_cfg ptr access
318cfde qcacld-3.0: Avoid possible NULL pointer dereference
e34b18d qcacld-3.0: Fix possible OOB issue in ol_tx_desc_update_group_credit
c33a8be qcacld-3.0: Fix possible OOB access in ol_rx_reorder_detect_hole
12734b7 qcacld-3.0: Avoid VDEV start for new interface when roaming in progress
7622df0 qcacld-3.0: Reject DISA test vendor command if power save is enabled
..................
Bug: 80408179
Change-Id: I474badd9b1f3fc0927f991a1898343832dba93ea
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Diffstat (limited to 'core/wma/src/wma_mgmt.c')
-rw-r--r-- | core/wma/src/wma_mgmt.c | 39 |
1 files changed, 35 insertions, 4 deletions
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c index ea1b718d35..e51a735638 100644 --- a/core/wma/src/wma_mgmt.c +++ b/core/wma/src/wma_mgmt.c @@ -3297,6 +3297,13 @@ int wma_process_rmf_frame(tp_wma_handle wma_handle, cds_pkt_return_packet(rx_pkt); return -EINVAL; } + if (qdf_nbuf_len(wbuf) < (sizeof(*wh) + IEEE80211_CCMP_HEADERLEN + + IEEE80211_CCMP_MICLEN)) { + WMA_LOGE("Buffer length less than expected %d ", + (int)qdf_nbuf_len(wbuf)); + cds_pkt_return_packet(rx_pkt); + return -EINVAL; + } orig_hdr = (uint8_t *) qdf_nbuf_data(wbuf); /* Pointer to head of CCMP header */ @@ -3481,6 +3488,7 @@ end: } #define RATE_LIMIT 16 +#define RESERVE_BYTES 100 /** * wma_mgmt_rx_process() - process management rx frame. * @handle: wma handle @@ -3616,9 +3624,28 @@ static int wma_mgmt_rx_process(void *handle, uint8_t *data, qdf_mem_free(rx_pkt); return -EINVAL; } - - /* Why not just use rx_event->hdr.buf_len? */ - wbuf = qdf_nbuf_alloc(NULL, roundup(hdr->buf_len, 4), 0, 4, false); + /* + * Allocate the memory for this rx packet, add extra 100 bytes for:- + * + * 1. Filling the missing RSN capabilites by some APs, which fill the + * RSN IE length as extra 2 bytes but dont fill the IE data with + * capabilities, resulting in failure in unpack core due to length + * mismatch. Check sir_validate_and_rectify_ies for more info. + * + * 2. In the API wma_process_rmf_frame(), the driver trims the CCMP + * header by overwriting the IEEE header to memory occupied by CCMP + * header, but an overflow is possible if the memory allocated to + * frame is less than the sizeof(struct ieee80211_frame) +CCMP + * HEADER len, so allocating 100 bytes would solve this issue too. + * + * 3. CCMP header is pointing to orig_hdr + + * sizeof(struct ieee80211_frame) which could also result in OOB + * access, if the data len is less than + * sizeof(struct ieee80211_frame), allocating extra bytes would + * result in solving this issue too. + */ + wbuf = qdf_nbuf_alloc(NULL, roundup(hdr->buf_len + RESERVE_BYTES, + 4), 0, 4, false); if (!wbuf) { WMA_LOGE("%s: Failed to allocate wbuf for mgmt rx len(%u)", __func__, hdr->buf_len); @@ -3664,7 +3691,7 @@ static int wma_mgmt_rx_process(void *handle, uint8_t *data, mgt_type = (wh)->i_fc[0] & IEEE80211_FC0_TYPE_MASK; mgt_subtype = (wh)->i_fc[0] & IEEE80211_FC0_SUBTYPE_MASK; - WMA_LOGD(FL("BSSID: "MAC_ADDRESS_STR" snr = %d, Type = %x, Subtype = %x, seq_num = %x, rssi = %d, rssi_raw = %d tsf_delta: %u"), + WMA_LOGD(FL("BSSID: "MAC_ADDRESS_STR" snr = %d, Type = %x, Subtype = %x, seq_num = %x, rssi = %d, rssi_raw = %d rssi for chain0 is :- %d, chain1 is %d, tsf_delta: %u"), MAC_ADDR_ARRAY(wh->i_addr3), hdr->snr, mgt_type, mgt_subtype, (((*(uint16_t *)wh->i_seq) & @@ -3672,6 +3699,10 @@ static int wma_mgmt_rx_process(void *handle, uint8_t *data, IEEE80211_SEQ_SEQ_SHIFT), rx_pkt->pkt_meta.rssi, rx_pkt->pkt_meta.rssi_raw, + (rx_pkt->pkt_meta.rssi_per_chain[0] + + WMA_NOISE_FLOOR_DBM_DEFAULT), + (rx_pkt->pkt_meta.rssi_per_chain[1] + + WMA_NOISE_FLOOR_DBM_DEFAULT), hdr->tsf_delta); if (!wma_handle->mgmt_rx) { WMA_LOGE("Not registered for Mgmt rx, dropping the frame"); |