diff options
| author | duyahui <duyahui@xiaomi.com> | 2019-10-17 11:21:40 +0800 |
|---|---|---|
| committer | duyahui <duyahui@xiaomi.com> | 2019-10-17 11:21:40 +0800 |
| commit | 9e0c68a4dc6b2293e6217af60af633190187cdd9 (patch) | |
| tree | e601c8bbfa3e801e27029c78abf081e6aece6f79 | |
| parent | c4dbd575b19b6d20e28b0dc1943acb0f22136c8a (diff) | |
| download | wlan-android-msm-baiji-4.9-pie-wear-mr1.tar.gz | |
baiji: Qcom October security patch to fix potential OOB accessandroid-wear-9.0.0_r0.52android-msm-baiji-4.9-pie-wear-mr1
Signed-off-by: duyahui<duyahui@xiaomi.com>
Change-Id: If63eed90b938cacee1bbdd069dec458c721fd142
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_p2p.c | 9 | ||||
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessDisassocFrame.c | 15 |
2 files changed, 16 insertions, 8 deletions
diff --git a/CORE/HDD/src/wlan_hdd_p2p.c b/CORE/HDD/src/wlan_hdd_p2p.c index dfb908351..90d98da8c 100644 --- a/CORE/HDD/src/wlan_hdd_p2p.c +++ b/CORE/HDD/src/wlan_hdd_p2p.c @@ -2762,6 +2762,7 @@ void __hdd_indicate_mgmt_frame(hdd_adapter_t *pAdapter, /* Get pAdapter from Destination mac address of the frame */ if ((type == SIR_MAC_MGMT_FRAME) && (subType != SIR_MAC_MGMT_PROBE_REQ) && + (nFrameLength > WLAN_HDD_80211_FRM_DA_OFFSET + VOS_MAC_ADDR_SIZE) && !vos_is_macaddr_broadcast( (v_MACADDR_t *)&pbFrames[WLAN_HDD_80211_FRM_DA_OFFSET])) { @@ -2832,12 +2833,16 @@ void __hdd_indicate_mgmt_frame(hdd_adapter_t *pAdapter, cfgState = WLAN_HDD_GET_CFG_STATE_PTR( pAdapter ); if ((type == SIR_MAC_MGMT_FRAME) && - (subType == SIR_MAC_MGMT_ACTION)) + (subType == SIR_MAC_MGMT_ACTION) && + (nFrameLength > WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET + 1)) { if(pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET] == WLAN_HDD_PUBLIC_ACTION_FRAME) { // public action frame - if((pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+1] == SIR_MAC_ACTION_VENDOR_SPECIFIC) && + if((WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET + SIR_MAC_P2P_OUI_SIZE + 2 < + nFrameLength) && + (pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+1] == + SIR_MAC_ACTION_VENDOR_SPECIFIC) && vos_mem_compare(&pbFrames[WLAN_HDD_PUBLIC_ACTION_FRAME_OFFSET+2], SIR_MAC_P2P_OUI, SIR_MAC_P2P_OUI_SIZE)) // P2P action frames { diff --git a/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c b/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c index 805ad5f0c..1985c21d7 100644 --- a/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c +++ b/CORE/MAC/src/pe/lim/limProcessDisassocFrame.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2017, 2019 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -80,12 +80,16 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession tpSirMacMgmtHdr pHdr; tpDphHashNode pStaDs; tLimMlmDisassocInd mlmDisassocInd; -#ifdef WLAN_FEATURE_11W - tANI_U32 frameLen; -#endif + tANI_U32 frame_len; pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo); + frame_len = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); + + if (frame_len < 2) { + limLog(pMac, LOGE, FL("frame len less than 2")); + return; + } if (limIsGroupAddr(pHdr->sa)) { @@ -124,10 +128,9 @@ limProcessDisassocFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession PELOGE(limLog(pMac, LOG1, FL("received an unprotected disassoc from AP"));) // If the frame received is unprotected, forward it to the supplicant to initiate // an SA query - frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); //send the unprotected frame indication to SME limSendSmeUnprotectedMgmtFrameInd( pMac, pHdr->fc.subType, - (tANI_U8*)pHdr, (frameLen + sizeof(tSirMacMgmtHdr)), + (tANI_U8*)pHdr, (frame_len + sizeof(tSirMacMgmtHdr)), psessionEntry->smeSessionId, psessionEntry); return; } |