diff options
| author | duyahui <duyahui@xiaomi.com> | 2019-07-23 14:38:26 +0800 |
|---|---|---|
| committer | duyahui <duyahui@xiaomi.com> | 2019-07-23 14:38:26 +0800 |
| commit | d632267079067e3aed20f95b51850c337d90f4eb (patch) | |
| tree | b127af2e721d615cf7ddc0169601cd4c8bc914ad | |
| parent | ac47a49a831efeb98fa074fb644375e5dd08c870 (diff) | |
| download | wlan-d632267079067e3aed20f95b51850c337d90f4eb.tar.gz | |
baiji: sync changes from qcom-LW.BR.4.0.3-02500
Bug: 130678563
Signed-off-by: duyahui<duyahui@xiaomi.com>
Change-Id: I1733a8752c86fb8484274a5499838128ac08b833
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_cfg80211.c | 5 | ||||
| -rw-r--r-- | CORE/HDD/src/wlan_hdd_main.c | 8 | ||||
| -rw-r--r-- | CORE/MAC/src/include/dot11f.h | 2 | ||||
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessActionFrame.c | 18 | ||||
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c | 2 | ||||
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessDeauthFrame.c | 11 | ||||
| -rw-r--r-- | CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c | 4 | ||||
| -rw-r--r-- | CORE/SME/src/rrm/sme_rrm.c | 6 | ||||
| -rw-r--r-- | CORE/SYS/legacy/src/utils/src/dot11f.c | 25 | ||||
| -rw-r--r-- | CORE/SYS/legacy/src/utils/src/parserApi.c | 6 |
10 files changed, 64 insertions, 23 deletions
diff --git a/CORE/HDD/src/wlan_hdd_cfg80211.c b/CORE/HDD/src/wlan_hdd_cfg80211.c index 4bed86901..ed91e8500 100644 --- a/CORE/HDD/src/wlan_hdd_cfg80211.c +++ b/CORE/HDD/src/wlan_hdd_cfg80211.c @@ -5093,6 +5093,11 @@ static int hdd_extscan_start_fill_bucket_channel_spec( j++; } + if (j != pReqMsg->buckets[bktIndex].numChannels) { + hddLog(LOG1, FL("Input parameters didn't match")); + return -EINVAL; + } + bktIndex++; } diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c index aa95229b5..13c0421d5 100644 --- a/CORE/HDD/src/wlan_hdd_main.c +++ b/CORE/HDD/src/wlan_hdd_main.c @@ -15772,6 +15772,8 @@ void hdd_indicate_mgmt_frame(tSirSmeMgmtFrameInd *frame_ind) hdd_context_t *hdd_ctx = NULL; hdd_adapter_t *adapter = NULL; v_CONTEXT_t vos_context = NULL; + struct ieee80211_mgmt *mgmt = + (struct ieee80211_mgmt *)frame_ind->frameBuf; /* Get the global VOSS context.*/ vos_context = vos_get_global_context(VOS_MODULE_ID_SYS, NULL); @@ -15787,6 +15789,12 @@ void hdd_indicate_mgmt_frame(tSirSmeMgmtFrameInd *frame_ind) { return; } + + if (frame_ind->frameLen < ieee80211_hdrlen(mgmt->frame_control)) { + hddLog(LOGE, FL(" Invalid frame length")); + return; + } + adapter = hdd_get_adapter_by_sme_session_id(hdd_ctx, frame_ind->sessionId); diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h index 7beb4decf..5babd8a9d 100644 --- a/CORE/MAC/src/include/dot11f.h +++ b/CORE/MAC/src/include/dot11f.h @@ -32,7 +32,7 @@ * \brief Structures, function prototypes & definitions * for working with 802.11 Frames * This file was automatically generated by 'framesc' - * Mon Oct 22 17:30:52 2018 from the following file(s): + * Mon Dec 3 16:47:12 2018 from the following file(s): * * dot11f.frms * diff --git a/CORE/MAC/src/pe/lim/limProcessActionFrame.c b/CORE/MAC/src/pe/lim/limProcessActionFrame.c index bf364ee16..db24aacea 100644 --- a/CORE/MAC/src/pe/lim/limProcessActionFrame.c +++ b/CORE/MAC/src/pe/lim/limProcessActionFrame.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2017, 2019 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -71,7 +71,7 @@ #ifdef WLAN_FEATURE_LFR_MBB #include "lim_mbb.h" #endif - +#include "dot11f.h" #define BA_DEFAULT_TX_BUFFER_SIZE 64 @@ -2185,6 +2185,7 @@ static void __limProcessSAQueryRequestActionFrame(tpAniSirGlobal pMac, tANI_U8 * tpSirMacMgmtHdr pHdr; tANI_U8 *pBody; tANI_U8 transId[2]; + uint32_t frame_len; /* Prima --- Below Macro not available in prima pHdr = SIR_MAC_BD_TO_MPDUHEADER(pBd); @@ -2192,7 +2193,13 @@ static void __limProcessSAQueryRequestActionFrame(tpAniSirGlobal pMac, tANI_U8 * pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo); + frame_len = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); + if (frame_len < sizeof(struct sDot11fSaQueryReq)) { + VOS_TRACE(VOS_MODULE_ID_PE, VOS_TRACE_LEVEL_ERROR, + ("Invalid frame length")); + return; + } /* If this is an unprotected SA Query Request, then ignore it. */ if (pHdr->fc.wep == 0) return; @@ -2241,12 +2248,19 @@ static void __limProcessSAQueryResponseActionFrame(tpAniSirGlobal pMac, tANI_U8 tANI_U16 aid; tANI_U16 transId; tANI_U8 retryNum; + uint32_t frame_len; pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo); + frame_len = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); VOS_TRACE(VOS_MODULE_ID_PE, VOS_TRACE_LEVEL_INFO, ("SA Query Response received...")) ; + if (frame_len < sizeof(struct sDot11fSaQueryRsp)) { + VOS_TRACE(VOS_MODULE_ID_PE, VOS_TRACE_LEVEL_ERROR, + ("Invalid frame length")); + return; + } /* When a station, supplicant handles SA Query Response. Forward to SME to HDD to wpa_supplicant. */ if (eLIM_STA_ROLE == psessionEntry->limSystemRole) diff --git a/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c b/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c index 427300d90..06a4c0fdf 100644 --- a/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c +++ b/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c @@ -783,7 +783,7 @@ limProcessAssocReqFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, { if (dot11fUnpackIeWPA(pMac, &pAssocReq->wpa.info[4], //OUI is not taken care - pAssocReq->wpa.length, + (pAssocReq->wpa.length - 4), &Dot11fIEWPA) != DOT11F_PARSE_SUCCESS) { limLog(pMac, LOGE, FL("Invalid WPA IE")); diff --git a/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c b/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c index d4ea76310..8554e612b 100644 --- a/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c +++ b/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c @@ -71,15 +71,19 @@ limProcessDeauthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession p tpDphHashNode pStaDs; tpPESession pRoamSessionEntry=NULL; tANI_U8 roamSessionId; -#ifdef WLAN_FEATURE_11W tANI_U32 frameLen; -#endif - pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo); pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo); + frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); + if (frameLen < sizeof(reasonCode)) { + PELOGE(limLog(pMac, LOGE, + FL("received invalid framelen %d"), frameLen);) + return; + } + if ((eLIM_STA_ROLE == psessionEntry->limSystemRole) && ((eLIM_SME_WT_DISASSOC_STATE == psessionEntry->limSmeState) || (eLIM_SME_WT_DEAUTH_STATE == psessionEntry->limSmeState))) @@ -126,7 +130,6 @@ limProcessDeauthFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo, tpPESession p PELOGE(limLog(pMac, LOGE, FL("received an unprotected deauth from AP"));) // If the frame received is unprotected, forward it to the supplicant to initiate // an SA query - frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo); //send the unprotected frame indication to SME limSendSmeUnprotectedMgmtFrameInd( pMac, pHdr->fc.subType, diff --git a/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c b/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c index 339bc5345..a3c05cb7a 100644 --- a/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c +++ b/CORE/MAC/src/pe/lim/limProcessMlmReqMessages.c @@ -1763,7 +1763,7 @@ limMlmAddBss ( pAddBssParams->rateSet.numRates = SIR_MAC_RATESET_EID_MAX; } vos_mem_copy(pAddBssParams->rateSet.rate, - pMlmStartReq->rateSet.rate, pMlmStartReq->rateSet.numRates); + pMlmStartReq->rateSet.rate, pAddBssParams->rateSet.numRates); pAddBssParams->nwType = pMlmStartReq->nwType; @@ -1798,7 +1798,7 @@ limMlmAddBss ( } vos_mem_copy(pAddBssParams->ssId.ssId, pMlmStartReq->ssId.ssId, - pMlmStartReq->ssId.length); + pAddBssParams->ssId.length); pAddBssParams->bHiddenSSIDEn = pMlmStartReq->ssidHidden; limLog( pMac, LOGE, FL( "TRYING TO HIDE SSID %d" ),pAddBssParams->bHiddenSSIDEn); diff --git a/CORE/SME/src/rrm/sme_rrm.c b/CORE/SME/src/rrm/sme_rrm.c index 102dc5f63..9182640be 100644 --- a/CORE/SME/src/rrm/sme_rrm.c +++ b/CORE/SME/src/rrm/sme_rrm.c @@ -856,6 +856,12 @@ void sme_RrmProcessBeaconReportReqInd(tpAniSirGlobal pMac, void *pMsgBuf) #if defined WLAN_VOWIFI_DEBUG smsLog( pMac, LOGE, "Received Beacon report request ind Channel = %d", pBeaconReq->channelInfo.channelNum ); #endif + + if (pBeaconReq->channelList.numChannels > SIR_ESE_MAX_MEAS_IE_REQS) { + smsLog( pMac, LOGP, "Beacon report request numChannels: %u exceeds " + "max num channels", pBeaconReq->channelList.numChannels); + return; + } //section 11.10.8.1 (IEEE Std 802.11k-2008) //channel 0 and 255 has special meaning. if( (pBeaconReq->channelInfo.channelNum == 0) || diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c index 90af7d259..78872805b 100644 --- a/CORE/SYS/legacy/src/utils/src/dot11f.c +++ b/CORE/SYS/legacy/src/utils/src/dot11f.c @@ -30,7 +30,7 @@ * \brief Structures, functions & definitions for * working with 802.11 Frames * This file was automatically generated by 'framesc' - * Mon Oct 22 17:30:52 2018 from the following file(s): + * Mon Dec 3 16:47:12 2018 from the following file(s): * * dot11f.frms * @@ -22723,16 +22723,13 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx, if (pIe) { - if ((nBufRemaining < pIe->minSize - pIe->noui - 2U) || - (len < pIe->minSize - pIe->noui - 2U)) + if ((nBufRemaining < pIe->minSize - pIe->noui - 2U)) { - FRAMES_LOG4(pCtx, FRLOGW, FRFL("The IE %s must " + FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must " "be at least %d bytes in size, but " "there are only %d bytes remaining in " - "this frame or the IE reports a size " - "of %d bytes.\n"), - pIe->name, pIe->minSize, nBufRemaining, - (len + pIe->noui + 2U)); + "this frame.\n"), + pIe->name, pIe->minSize, nBufRemaining); FRAMES_DUMP(pCtx, FRLOG1, pBuf, nBuf); status |= DOT11F_INCOMPLETE_IE; FRAMES_DBG_BREAK(); @@ -22740,6 +22737,14 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx, } else { + if (len < pIe->minSize - pIe->noui - 2U) { + FRAMES_LOG3(pCtx, FRLOGW, FRFL("The IE %s must " + "be at least %d bytes in size, but " + "there are only %d bytes in the IE\n"), + pIe->name, pIe->minSize, (len + pIe->noui + 2U)); + goto skip_ie; + } + if (len > pIe->maxSize - pIe->noui - 2U){ FRAMES_LOG1(pCtx, FRLOGW, FRFL("The IE %s reports " "an unexpectedly large size; it is presumably " @@ -22752,7 +22757,7 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx, countOffset = ( (0 != pIe->arraybound) * ( *(tANI_U16* )(pFrm + pIe->countOffset))); if (0 != pIe->arraybound && countOffset >= pIe->arraybound) { status |= DOT11F_DUPLICATE_IE; - goto skip_dup_ie; + goto skip_ie; } switch (pIe->sig) { @@ -23232,7 +23237,7 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx, status |= DOT11F_UNKNOWN_IES; } -skip_dup_ie: +skip_ie: pBufRemaining += len; if (len > nBufRemaining) diff --git a/CORE/SYS/legacy/src/utils/src/parserApi.c b/CORE/SYS/legacy/src/utils/src/parserApi.c index d71afcda1..95bc4c8ee 100644 --- a/CORE/SYS/legacy/src/utils/src/parserApi.c +++ b/CORE/SYS/legacy/src/utils/src/parserApi.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2012-2018 The Linux Foundation. All rights reserved. + * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved. * * Previously licensed under the ISC license by Qualcomm Atheros, Inc. * @@ -4028,7 +4028,7 @@ sirConvertAddtsReq2Struct(tpAniSirGlobal pMac, if ( addts.num_WMMTCLAS ) { j = (tANI_U8)(pAddTs->numTclas + addts.num_WMMTCLAS); - if ( SIR_MAC_TCLASIE_MAXNUM > j ) j = SIR_MAC_TCLASIE_MAXNUM; + if ( SIR_MAC_TCLASIE_MAXNUM < j ) j = SIR_MAC_TCLASIE_MAXNUM; for ( i = pAddTs->numTclas; i < j; ++i ) { @@ -4210,7 +4210,7 @@ sirConvertAddtsRsp2Struct(tpAniSirGlobal pMac, if ( addts.num_WMMTCLAS ) { j = (tANI_U8)(pAddTs->numTclas + addts.num_WMMTCLAS); - if ( SIR_MAC_TCLASIE_MAXNUM > j ) j = SIR_MAC_TCLASIE_MAXNUM; + if ( SIR_MAC_TCLASIE_MAXNUM < j ) j = SIR_MAC_TCLASIE_MAXNUM; for ( i = pAddTs->numTclas; i < j; ++i ) { |