diff options
| author | sheenam monga <shebala@codeaurora.org> | 2021-02-22 11:45:52 +0530 |
|---|---|---|
| committer | chenpaul <chenpaul@google.com> | 2021-03-23 18:57:23 +0800 |
| commit | f5e2ac6f3ddac63a880819551f93f2c4103053bb (patch) | |
| tree | 13baaf0cb9fe56f3ed292a9535800386c111abb7 | |
| parent | 4cab877d52965af2e1b0a53ef4c026cbe02c894b (diff) | |
| download | qca-wfi-host-cmn-f5e2ac6f3ddac63a880819551f93f2c4103053bb.tar.gz | |
qcacmn: Add length check in beacon IE parsing function
Add length check in scan beacon IE processing function for the below IEs to
avoid any possible memory corruption.
1. WLAN_ELEMID_COUNTRY
2. WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH
3. WLAN_ELEMID_VHT_TX_PWR_ENVLP
4. WLAN_EXTN_ELEMID_MAX_CHAN_SWITCH_TIME
Change-Id: I860bee8633849215d46c2dfe60a1a98d7c80f510
CRs-Fixed: 2873394
Bug: 182351550
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
| -rw-r--r-- | umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h | 11 | ||||
| -rw-r--r-- | umac/scan/dispatcher/src/wlan_scan_utils_api.c | 6 |
2 files changed, 17 insertions, 0 deletions
diff --git a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h index 39617ab13..7f62d4906 100644 --- a/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h +++ b/umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h @@ -107,6 +107,17 @@ #define WLAN_OPMODE_IE_MAX_LEN 1 #define WLAN_IBSSDFS_IE_MIN_LEN 7 +/* Wide band channel switch IE length */ +#define WLAN_WIDE_BW_CHAN_SWITCH_IE_LEN 3 + +/* Number of max TX power elements supported plus size of Transmit Power + * Information element. + */ +#define WLAN_TPE_IE_MAX_LEN 9 + +/* Max channel switch time IE length */ +#define WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN 4 + /* HT capability flags */ #define WLAN_HTCAP_C_ADVCODING 0x0001 #define WLAN_HTCAP_C_CHWIDTH40 0x0002 diff --git a/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/umac/scan/dispatcher/src/wlan_scan_utils_api.c index 19407dce1..dd233e7d1 100644 --- a/umac/scan/dispatcher/src/wlan_scan_utils_api.c +++ b/umac/scan/dispatcher/src/wlan_scan_utils_api.c @@ -308,12 +308,18 @@ util_scan_parse_chan_switch_wrapper_ie(struct scan_cache_entry *scan_params, } switch (sub_ie->ie_id) { case WLAN_ELEMID_COUNTRY: + if (sub_ie->ie_len < WLAN_COUNTRY_IE_MIN_LEN) + return QDF_STATUS_E_INVAL; scan_params->ie_list.country = (uint8_t *)sub_ie; break; case WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH: + if (sub_ie->ie_len != WLAN_WIDE_BW_CHAN_SWITCH_IE_LEN) + return QDF_STATUS_E_INVAL; scan_params->ie_list.widebw = (uint8_t *)sub_ie; break; case WLAN_ELEMID_VHT_TX_PWR_ENVLP: + if (sub_ie->ie_len > WLAN_TPE_IE_MAX_LEN) + return QDF_STATUS_E_INVAL; scan_params->ie_list.txpwrenvlp = (uint8_t *)sub_ie; break; } |