diff options
author | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2024-02-19 14:03:18 +0800 |
---|---|---|
committer | Hsiu-Chang Chen <hsiuchangchen@google.com> | 2024-02-19 07:21:28 +0000 |
commit | dbcdeb2032f17534848957448a1b6fde5ada1c8e (patch) | |
tree | 34b1d93c12038e493e902ec06c358adc44303f1f | |
parent | 049759cf3ea8ec9cd0c506a59e068a042732b221 (diff) | |
download | qca-wfi-host-cmn-android-msm-redbull-4.19-android14-qpr3-beta.tar.gz |
qcacmn: Fix OOB issueandroid-u-qpr3-beta-2.1_r0.6android-msm-redbull-4.19-android14-qpr3-beta
Changes to fix OOB issue seen util_scan_parse_beacon_frame.
Bug: 323926776
Test: Regression Test
Change-Id: I53244be54d31e87b55d0b44ce94315c8001f417d
CRs-Fixed: 3582496
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
-rw-r--r-- | umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h | 3 | ||||
-rw-r--r-- | umac/scan/dispatcher/src/wlan_scan_utils_api.c | 3 |
2 files changed, 6 insertions, 0 deletions
diff --git a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h index d8d688e58..34e4f5ebd 100644 --- a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h +++ b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h @@ -146,6 +146,9 @@ /* Max channel switch time IE length */ #define WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN 4 +#define WLAN_MIN_HECAP_IE_LEN 22 +#define WLAN_MAX_HECAP_IE_LEN 55 + /* HT capability flags */ #define WLAN_HTCAP_C_ADVCODING 0x0001 #define WLAN_HTCAP_C_CHWIDTH40 0x0002 diff --git a/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/umac/scan/dispatcher/src/wlan_scan_utils_api.c index 655af7cf2..62e8e00e3 100644 --- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c +++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c @@ -433,6 +433,9 @@ util_scan_parse_extn_ie(struct scan_cache_entry *scan_params, scan_params->ie_list.srp = (uint8_t *)ie; break; case WLAN_EXTN_ELEMID_HECAP: + if ((extn_ie->ie_len < WLAN_MIN_HECAP_IE_LEN) || + (extn_ie->ie_len > WLAN_MAX_HECAP_IE_LEN)) + return QDF_STATUS_E_INVAL; scan_params->ie_list.hecap = (uint8_t *)ie; break; case WLAN_EXTN_ELEMID_HEOP: |