diff options
| author | Qun Zhang <qunz@codeaurora.org> | 2018-07-11 10:24:31 +0800 |
|---|---|---|
| committer | Shirle Yuen <shirleyshukyee@google.com> | 2018-07-30 10:43:00 -0700 |
| commit | 912c199918c83d87d63ecd1782d3d1b650e03325 (patch) | |
| tree | e2fd4eeb3a2b8242cc35f35c5e04670b860b5053 | |
| parent | f39c7864780a3fa528f6c055d963c68a5b54d571 (diff) | |
| download | qcom-msm8x09-v3.10-912c199918c83d87d63ecd1782d3d1b650e03325.tar.gz | |
qcacld-2.0: Avoid integer underflow in dot11f_unpack functions
propagation from qcacld-3.0 to qcacld-2.0
In function dot11f_unpack functions length of buffer passed is
decremented as pointer advances in the buffer. Add a check for
integer underflow before decrementing the length.
qcacld-3.0 to CLD2.0 propagation of the following CRs:
2237141, 2231755, 2246426, 2150438
Change-Id: I4ed39d326855c2027ff0bc3cbe5c8981a2ae2aa1
CRs-Fixed: 2259649
Bug: 111289931
(cherry picked from commit 4cea2c13181fa82b5da9d2f4c1292029a5261137)
| -rw-r--r-- | drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h | 6 | ||||
| -rw-r--r-- | drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c | 2184 |
2 files changed, 2188 insertions, 2 deletions
diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h b/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h index 1456e379503..1dfff0f8ec7 100644 --- a/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h +++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/include/dot11f.h @@ -32,7 +32,7 @@ * \brief Structures, function prototypes & definitions * for working with 802.11 Frames * This file was automatically generated by 'framesc' - * Thu Dec 28 13:33:15 2017 from the following file(s): + * Wed Jun 20 14:32:20 2018 from the following file(s): * * dot11f.frms * @@ -51,6 +51,10 @@ typedef tANI_U32 tDOT11F_U64[2]; # pragma warning (disable: 4214) /* nonstandard extension used */ #endif /* Microsoft C/C++ bit field types other than int */ +#if !defined unlikely +#define unlikely(x) (x) +#endif + /* * Frames Return Codes: * diff --git a/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c b/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c index 0d25f085c5e..6f4e9670892 100644 --- a/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c +++ b/drivers/staging/qcacld-2.0/CORE/SYS/legacy/src/utils/src/dot11f.c @@ -30,7 +30,7 @@ * \brief Structures, functions & definitions for * working with 802.11 Frames * This file was automatically generated by 'framesc' - * Thu Dec 28 13:33:15 2017 from the following file(s): + * Wed Jun 20 14:32:20 2018 from the following file(s): * * dot11f.frms * @@ -1011,6 +1011,11 @@ tANI_U32 dot11fUnpackTlvAuthorizedMACs(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->mac, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1029,6 +1034,11 @@ tANI_U32 dot11fUnpackTlvVersion2(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 tl tANI_U32 status = DOT11F_PARSE_SUCCESS; tANI_U8 tmp8__; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp8__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -1051,6 +1061,11 @@ tANI_U32 dot11fUnpackTlvChannelList(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryString, pBuf, 3); pBuf += 3; tlvlen -= (tANI_U8)3; @@ -1080,9 +1095,19 @@ tANI_U32 dot11fUnpackTlvConfigurationTimeout(tpAniSirGlobal pCtx, tANI_U8 *pBuf, { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->GOConfigTimeout = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->CLConfigTimeout = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; @@ -1120,9 +1145,19 @@ tANI_U32 dot11fUnpackTlvExtendedListenTiming(tpAniSirGlobal pCtx, tANI_U8 *pBuf, { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->availibilityPeriod, pBuf, 0); pBuf += 2; tlvlen -= (tANI_U8)2; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->availibilityInterval, pBuf, 0); pBuf += 2; tlvlen -= (tANI_U8)2; @@ -1140,6 +1175,11 @@ tANI_U32 dot11fUnpackTlvIntendedP2PInterfaceAddress(tpAniSirGlobal pCtx, tANI_U8 { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PInterfaceAddress, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1157,12 +1197,27 @@ tANI_U32 dot11fUnpackTlvListenChannel(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryString, pBuf, 3); pBuf += 3; tlvlen -= (tANI_U8)3; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; @@ -1240,9 +1295,19 @@ tANI_U32 dot11fUnpackTlvNoticeOfAbsence(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->index = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->CTSWindowOppPS = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; @@ -1266,12 +1331,27 @@ tANI_U32 dot11fUnpackTlvOperatingChannel(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryString, pBuf, 3); pBuf += 3; tlvlen -= (tANI_U8)3; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; @@ -1286,9 +1366,19 @@ tANI_U32 dot11fUnpackTlvP2PCapability(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->deviceCapability = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->groupCapability = *pBuf; pBuf += 1; tlvlen -= (tANI_U8)1; @@ -1303,6 +1393,11 @@ tANI_U32 dot11fUnpackTlvP2PDeviceId(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1322,12 +1417,27 @@ tANI_U32 dot11fUnpackTlvP2PDeviceInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->configMethod, pBuf, 0); pBuf += 2; tlvlen -= (tANI_U8)2; + if (unlikely(tlvlen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->primaryDeviceType, pBuf, 8); pBuf += 8; tlvlen -= (tANI_U8)8; @@ -1348,6 +1458,11 @@ tANI_U32 dot11fUnpackTlvP2PGroupBssid(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PGroupBssid, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1362,6 +1477,11 @@ tANI_U32 dot11fUnpackTlvP2PGroupId(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->deviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1404,12 +1524,27 @@ tANI_U32 dot11fUnpackTlvPrimaryDeviceType(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA tANI_U32 status = DOT11F_PARSE_SUCCESS; (void)pBuf; (void)tlvlen; /* Shutup the compiler */ pDst->present = 1; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->primary_category, pBuf, 1); pBuf += 2; tlvlen -= (tANI_U8)2; + if (unlikely(tlvlen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->oui, pBuf, 4); pBuf += 4; tlvlen -= (tANI_U8)4; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->sub_category, pBuf, 1); pBuf += 2; tlvlen -= (tANI_U8)2; @@ -1427,12 +1562,27 @@ tANI_U32 dot11fUnpackTlvRequestDeviceType(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->primary_category, pBuf, 1); pBuf += 2; tlvlen -= (tANI_U8)2; + if (unlikely(tlvlen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->oui, pBuf, 4); pBuf += 4; tlvlen -= (tANI_U8)4; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->sub_category, pBuf, 1); pBuf += 2; tlvlen -= (tANI_U8)2; @@ -1479,6 +1629,11 @@ tANI_U32 dot11fUnpackTlvUUID_E(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 tlvl { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->uuid, pBuf, 16); pBuf += 16; tlvlen -= (tANI_U8)16; @@ -1493,6 +1648,11 @@ tANI_U32 dot11fUnpackTlvUUID_R(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 tlvl { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->uuid, pBuf, 16); pBuf += 16; tlvlen -= (tANI_U8)16; @@ -1514,6 +1674,11 @@ tANI_U32 dot11fUnpackTlvVendorExtension(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->vendorId, pBuf, 3); pBuf += 3; tlvlen -= (tANI_U8)3; @@ -1535,6 +1700,11 @@ tANI_U32 dot11fUnpackTlvVersion(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U16 tlv tANI_U32 status = DOT11F_PARSE_SUCCESS; tANI_U8 tmp9__; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp9__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -1554,6 +1724,11 @@ tANI_U32 dot11fUnpackTlvP2PInterface(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U1 { tANI_U32 status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (tANI_U8)6; @@ -1573,6 +1748,11 @@ tANI_U32 dot11fUnpackIeCondensedCountryStr(tpAniSirGlobal pCtx, tANI_U8 *pBuf, t (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryStr, pBuf, 2); (void)pCtx; return status; @@ -1588,14 +1768,29 @@ tANI_U32 dot11fUnpackIeGTK(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp10__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->keyId = tmp10__ >> 0 & 0x3; pDst->reserved = tmp10__ >> 2 & 0x3feb; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->keyLength = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->RSC, pBuf, 8); pBuf += 8; ielen -= (tANI_U8)8; @@ -1619,15 +1814,35 @@ tANI_U32 dot11fUnpackIeIGTK(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->keyID, pBuf, 2); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->IPN, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->keyLength = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 24)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->key, pBuf, 24); (void)pCtx; return status; @@ -1642,6 +1857,11 @@ tANI_U32 dot11fUnpackIeMccChanInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 i (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; (void)pCtx; return status; @@ -1676,6 +1896,11 @@ tANI_U32 dot11fUnpackIeR1KH_ID(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->PMK_R1_ID, pBuf, 6); (void)pCtx; return status; @@ -1690,9 +1915,19 @@ tANI_U32 dot11fUnpackIeSub20Info(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->capability = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->csa_chanwidth = *pBuf; (void)pCtx; return status; @@ -1707,9 +1942,19 @@ tANI_U32 dot11fUnpackIeTSFInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->TsfOffset, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->BeaconIntvl, pBuf, 0); (void)pCtx; return status; @@ -1724,6 +1969,11 @@ tANI_U32 dot11fUnpackIeAPChannelReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -1747,6 +1997,11 @@ tANI_U32 dot11fUnpackIeBcnReportingDetail(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reportingDetail = *pBuf; (void)pCtx; return status; @@ -1781,9 +2036,19 @@ tANI_U32 dot11fUnpackIeBeaconReporting(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reportingCondition = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->threshold = *pBuf; (void)pCtx; return status; @@ -1798,6 +2063,11 @@ tANI_U32 dot11fUnpackIeMeasurementPilot(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurementPilot = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -1816,6 +2086,11 @@ tANI_U32 dot11fUnpackIeMultiBssid(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->maxBSSIDIndicator = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -1834,12 +2109,27 @@ tANI_U32 dot11fUnpackIeRICData(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->Identifier = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->resourceDescCount = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->statusCode, pBuf, 0); (void)pCtx; return status; @@ -1854,6 +2144,11 @@ tANI_U32 dot11fUnpackIeRICDescriptor(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->resourceType = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -1877,6 +2172,11 @@ tANI_U32 dot11fUnpackIeRRMEnabledCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp11__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1888,6 +2188,11 @@ tANI_U32 dot11fUnpackIeRRMEnabledCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->BeaconActive = tmp11__ >> 5 & 0x1; pDst->BeaconTable = tmp11__ >> 6 & 0x1; pDst->BeaconRepCond = tmp11__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp12__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1899,6 +2204,11 @@ tANI_U32 dot11fUnpackIeRRMEnabledCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->LCIAzimuth = tmp12__ >> 5 & 0x1; pDst->TCMCapability = tmp12__ >> 6 & 0x1; pDst->triggeredTCM = tmp12__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp13__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1906,6 +2216,11 @@ tANI_U32 dot11fUnpackIeRRMEnabledCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->RRMMIBEnabled = tmp13__ >> 1 & 0x1; pDst->operatingChanMax = tmp13__ >> 2 & 0x7; pDst->nonOperatinChanMax = tmp13__ >> 5 & 0x7; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp14__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1915,6 +2230,11 @@ tANI_U32 dot11fUnpackIeRRMEnabledCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->RCPIMeasurement = tmp14__ >> 5 & 0x1; pDst->RSNIMeasurement = tmp14__ >> 6 & 0x1; pDst->BssAvgAccessDelay = tmp14__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp15__ = *pBuf; pDst->BSSAvailAdmission = tmp15__ >> 0 & 0x1; pDst->AntennaInformation = tmp15__ >> 1 & 0x1; @@ -1974,6 +2294,11 @@ tANI_U32 dot11fUnpackIeSchedule(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp16__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -1981,15 +2306,35 @@ tANI_U32 dot11fUnpackIeSchedule(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele pDst->tsid = tmp16__ >> 1 & 0xf; pDst->direction = tmp16__ >> 5 & 0x3; pDst->reserved = tmp16__ >> 7 & 0x1ff; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_interval, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_service_dur, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->spec_interval, pBuf, 0); (void)pCtx; return status; @@ -2004,70 +2349,165 @@ tANI_U32 dot11fUnpackIeTCLAS(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->user_priority = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_mask = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; switch (pDst->classifier_type) { case 0: + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.source, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.dest, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.EthParams.type, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; switch (pDst->info.IpParams.version) { case 4: + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.source, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.dest, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.src_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.DSCP = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.proto = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.reserved = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; break; case 6: + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.source, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.dest, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.src_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.flow_label, pBuf, 3); pBuf += 3; ielen -= (tANI_U8)3; @@ -2075,6 +2515,11 @@ tANI_U32 dot11fUnpackIeTCLAS(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, } break; case 2: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.Params8021dq.tag_type, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -2096,6 +2541,11 @@ tANI_U32 dot11fUnpackIeTSDelay(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay, pBuf, 0); (void)pCtx; return status; @@ -2113,6 +2563,11 @@ tANI_U32 dot11fUnpackIeTSPEC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp17__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2124,55 +2579,135 @@ tANI_U32 dot11fUnpackIeTSPEC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->psb = tmp17__ >> 10 & 0x1; pDst->user_priority = tmp17__ >> 11 & 0x7; pDst->tsinfo_ack_pol = tmp17__ >> 14 & 0x3; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp18__ = *pBuf; pBuf += 1; ielen -= 1; pDst->schedule = tmp18__ >> 0 & 0x1; pDst->unused = tmp18__ >> 1 & 0x7f; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp19__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->size = tmp19__ >> 0 & 0x7fff; pDst->fixed = tmp19__ >> 15 & 0x1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_msdu_size, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_service_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->max_service_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->inactivity_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->suspension_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->mean_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->peak_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->burst_size, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay_bound, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_phy_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->surplus_bw_allowance, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->medium_time, pBuf, 0); (void)pCtx; return status; @@ -2190,6 +2725,11 @@ tANI_U32 dot11fUnpackIeVHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &tmp20__, pBuf, 0); pBuf += 4; ielen -= 4; @@ -2213,17 +2753,37 @@ tANI_U32 dot11fUnpackIeVHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen pDst->rxAntPattern = tmp20__ >> 28 & 0x1; pDst->txAntPattern = tmp20__ >> 29 & 0x1; pDst->reserved1 = tmp20__ >> 30 & 0x3; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->rxMCSMap, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp21__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->rxHighSupDataRate = tmp21__ >> 0 & 0x1fff; pDst->reserved2 = tmp21__ >> 13 & 0x7; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->txMCSMap, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp22__, pBuf, 0); pDst->txSupDataRate = tmp22__ >> 0 & 0x1fff; pDst->reserved3 = tmp22__ >> 13 & 0x7; @@ -2240,15 +2800,35 @@ tANI_U32 dot11fUnpackIeVHTOperation(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chanWidth = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chanCenterFreqSeg1 = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chanCenterFreqSeg2 = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->basicMCSSet, pBuf, 0); (void)pCtx; return status; @@ -2264,6 +2844,11 @@ tANI_U32 dot11fUnpackIeWMMSchedule(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 i (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2272,6 +2857,11 @@ tANI_U32 dot11fUnpackIeWMMSchedule(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 i pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp23__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2279,15 +2869,35 @@ tANI_U32 dot11fUnpackIeWMMSchedule(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 i pDst->tsid = tmp23__ >> 1 & 0xf; pDst->direction = tmp23__ >> 5 & 0x3; pDst->reserved = tmp23__ >> 7 & 0x1ff; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_interval, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_service_dur, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->spec_interval, pBuf, 0); (void)pCtx; return status; @@ -2302,6 +2912,11 @@ tANI_U32 dot11fUnpackIeWMMTCLAS(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2310,70 +2925,165 @@ tANI_U32 dot11fUnpackIeWMMTCLAS(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->user_priority = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_mask = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; switch (pDst->classifier_type) { case 0: + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.source, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.dest, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.EthParams.type, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; switch (pDst->info.IpParams.version) { case 4: + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.source, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.dest, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.src_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.DSCP = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.proto = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.reserved = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; break; case 6: + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.source, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.dest, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.src_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.flow_label, pBuf, 3); pBuf += 3; ielen -= (tANI_U8)3; @@ -2381,6 +3091,11 @@ tANI_U32 dot11fUnpackIeWMMTCLAS(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele } break; case 2: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.Params8021dq.tag_type, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -2399,6 +3114,11 @@ tANI_U32 dot11fUnpackIeWMMTCLASPROC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2407,6 +3127,11 @@ tANI_U32 dot11fUnpackIeWMMTCLASPROC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->processing = *pBuf; (void)pCtx; return status; @@ -2421,6 +3146,11 @@ tANI_U32 dot11fUnpackIeWMMTSDelay(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2429,6 +3159,11 @@ tANI_U32 dot11fUnpackIeWMMTSDelay(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay, pBuf, 0); (void)pCtx; return status; @@ -2446,6 +3181,11 @@ tANI_U32 dot11fUnpackIeWMMTSPEC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2454,6 +3194,11 @@ tANI_U32 dot11fUnpackIeWMMTSPEC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp24__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2465,55 +3210,135 @@ tANI_U32 dot11fUnpackIeWMMTSPEC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele pDst->psb = tmp24__ >> 10 & 0x1; pDst->user_priority = tmp24__ >> 11 & 0x7; pDst->tsinfo_ack_pol = tmp24__ >> 14 & 0x3; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp25__ = *pBuf; pBuf += 1; ielen -= 1; pDst->tsinfo_rsvd = tmp25__ >> 0 & 0x7f; pDst->burst_size_defn = tmp25__ >> 7 & 0x1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp26__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->size = tmp26__ >> 0 & 0x7fff; pDst->fixed = tmp26__ >> 15 & 0x1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_msdu_size, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_service_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->max_service_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->inactivity_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->suspension_int, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->mean_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->peak_data_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->burst_size, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay_bound, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_phy_rate, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->surplus_bw_allowance, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->medium_time, pBuf, 0); (void)pCtx; return status; @@ -2528,12 +3353,27 @@ tANI_U32 dot11fUnpackIeWiderBWChanSwitchAnn(tpAniSirGlobal pCtx, tANI_U8 *pBuf, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newChanWidth = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newCenterChanFreq0 = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newCenterChanFreq1 = *pBuf; (void)pCtx; return status; @@ -2568,6 +3408,11 @@ tANI_U32 dot11fUnpackIeAID(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->assocId, pBuf, 0); (void)pCtx; return status; @@ -2582,15 +3427,35 @@ tANI_U32 dot11fUnpackIeCFParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->cfp_count = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->cfp_period = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->cfp_maxduration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->cfp_durremaining, pBuf, 0); (void)pCtx; return status; @@ -2625,12 +3490,27 @@ tANI_U32 dot11fUnpackIeChanSwitchAnn(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switchMode = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newChannel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switchCount = *pBuf; (void)pCtx; return status; @@ -2675,6 +3555,11 @@ tANI_U32 dot11fUnpackIeCountry(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->country, pBuf, 3); pBuf += 3; ielen -= (tANI_U8)3; @@ -2717,12 +3602,27 @@ tANI_U32 dot11fUnpackIeEDCAParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->qos = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reserved = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp27__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2730,14 +3630,29 @@ tANI_U32 dot11fUnpackIeEDCAParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->acbe_acm = tmp27__ >> 4 & 0x1; pDst->acbe_aci = tmp27__ >> 5 & 0x3; pDst->unused1 = tmp27__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp28__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbe_acwmin = tmp28__ >> 0 & 0xf; pDst->acbe_acwmax = tmp28__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbe_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp29__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2745,14 +3660,29 @@ tANI_U32 dot11fUnpackIeEDCAParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->acbk_acm = tmp29__ >> 4 & 0x1; pDst->acbk_aci = tmp29__ >> 5 & 0x3; pDst->unused2 = tmp29__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp30__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbk_acwmin = tmp30__ >> 0 & 0xf; pDst->acbk_acwmax = tmp30__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbk_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp31__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2760,14 +3690,29 @@ tANI_U32 dot11fUnpackIeEDCAParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->acvi_acm = tmp31__ >> 4 & 0x1; pDst->acvi_aci = tmp31__ >> 5 & 0x3; pDst->unused3 = tmp31__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp32__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvi_acwmin = tmp32__ >> 0 & 0xf; pDst->acvi_acwmax = tmp32__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvi_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp33__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2775,11 +3720,21 @@ tANI_U32 dot11fUnpackIeEDCAParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 pDst->acvo_acm = tmp33__ >> 4 & 0x1; pDst->acvo_aci = tmp33__ >> 5 & 0x3; pDst->unused4 = tmp33__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp34__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvo_acwmin = tmp34__ >> 0 & 0xf; pDst->acvo_acwmax = tmp34__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvo_txoplimit, pBuf, 0); (void)pCtx; return status; @@ -2795,6 +3750,11 @@ tANI_U32 dot11fUnpackIeERPInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp35__ = *pBuf; pDst->non_erp_present = tmp35__ >> 0 & 0x1; pDst->use_prot = tmp35__ >> 1 & 0x1; @@ -2834,9 +3794,19 @@ tANI_U32 dot11fUnpackIeESERadMgmtCap(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->mgmt_state = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp36__ = *pBuf; pDst->mbssid_mask = tmp36__ >> 0 & 0x7; pDst->reserved = tmp36__ >> 3 & 0x1f; @@ -2853,12 +3823,27 @@ tANI_U32 dot11fUnpackIeESETrafStrmMet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tsid = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->state = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->msmt_interval, pBuf, 0); (void)pCtx; return status; @@ -2873,6 +3858,11 @@ tANI_U32 dot11fUnpackIeESETrafStrmRateSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tsid = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -2896,9 +3886,19 @@ tANI_U32 dot11fUnpackIeESETxmitPower(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->power_limit = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reserved = *pBuf; (void)pCtx; return status; @@ -2913,6 +3913,11 @@ tANI_U32 dot11fUnpackIeESEVersion(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; (void)pCtx; return status; @@ -2980,15 +3985,35 @@ tANI_U32 dot11fUnpackIeFHParamSet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->dwell_time, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->hop_set = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->hop_pattern = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->hop_index = *pBuf; (void)pCtx; return status; @@ -3003,9 +4028,19 @@ tANI_U32 dot11fUnpackIeFHParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->radix = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->nchannels = *pBuf; (void)pCtx; return status; @@ -3020,15 +4055,35 @@ tANI_U32 dot11fUnpackIeFHPattTable(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 i (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->flag = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->nsets = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->modulus = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->offset = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -3065,17 +4120,37 @@ tANI_U32 dot11fUnpackIeFTInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp37__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->reserved = tmp37__ >> 0 & 0xff; pDst->IECount = tmp37__ >> 8 & 0xff; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->MIC, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 32)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->Anonce, pBuf, 32); pBuf += 32; ielen -= (tANI_U8)32; + if (unlikely(ielen < 32)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->Snonce, pBuf, 32); pBuf += 32; ielen -= (tANI_U8)32; @@ -3100,6 +4175,11 @@ tANI_U32 dot11fUnpackIeHT2040BSSCoexistence(tpAniSirGlobal pCtx, tANI_U8 *pBuf, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp38__ = *pBuf; pDst->infoRequest = tmp38__ >> 0 & 0x1; pDst->fortyMHzIntolerant = tmp38__ >> 1 & 0x1; @@ -3120,6 +4200,11 @@ tANI_U32 dot11fUnpackIeHT2040BSSIntolerantReport(tpAniSirGlobal pCtx, tANI_U8 *p (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->operatingClass = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -3148,6 +4233,11 @@ tANI_U32 dot11fUnpackIeHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp39__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3165,15 +4255,30 @@ tANI_U32 dot11fUnpackIeHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->psmp = tmp39__ >> 13 & 0x1; pDst->stbcControlFrame = tmp39__ >> 14 & 0x1; pDst->lsigTXOPProtection = tmp39__ >> 15 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp40__ = *pBuf; pBuf += 1; ielen -= 1; pDst->maxRxAMPDUFactor = tmp40__ >> 0 & 0x3; pDst->mpduDensity = tmp40__ >> 2 & 0x7; pDst->reserved1 = tmp40__ >> 5 & 0x7; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->supportedMCSSet, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp41__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3182,6 +4287,11 @@ tANI_U32 dot11fUnpackIeHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->reserved2 = tmp41__ >> 3 & 0x1f; pDst->mcsFeedback = tmp41__ >> 8 & 0x3; pDst->reserved3 = tmp41__ >> 10 & 0x3f; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &tmp42__, pBuf, 0); pBuf += 4; ielen -= 4; @@ -3201,6 +4311,11 @@ tANI_U32 dot11fUnpackIeHTCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->uncompressedSteeringMatrixBFAntennae = tmp42__ >> 21 & 0x3; pDst->compressedSteeringMatrixBFAntennae = tmp42__ >> 23 & 0x3; pDst->reserved4 = tmp42__ >> 25 & 0x7f; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp43__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3235,9 +4350,19 @@ tANI_U32 dot11fUnpackIeHTInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->primaryChannel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp44__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3246,6 +4371,11 @@ tANI_U32 dot11fUnpackIeHTInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->rifsMode = tmp44__ >> 3 & 0x1; pDst->controlledAccessOnly = tmp44__ >> 4 & 0x1; pDst->serviceIntervalGranularity = tmp44__ >> 5 & 0x7; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp45__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3254,6 +4384,11 @@ tANI_U32 dot11fUnpackIeHTInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->transmitBurstLimit = tmp45__ >> 3 & 0x1; pDst->obssNonHTStaPresent = tmp45__ >> 4 & 0x1; pDst->reserved = tmp45__ >> 5 & 0x7ff; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp46__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3264,6 +4399,11 @@ tANI_U32 dot11fUnpackIeHTInfo(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, pDst->pcoActive = tmp46__ >> 10 & 0x1; pDst->pcoPhase = tmp46__ >> 11 & 0x1; pDst->reserved2 = tmp46__ >> 12 & 0xf; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->basicMCSSet, pBuf, 16); pBuf += 16; ielen -= (tANI_U8)16; @@ -3287,6 +4427,11 @@ tANI_U32 dot11fUnpackIeIBSSParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->atim, pBuf, 0); (void)pCtx; return status; @@ -3301,12 +4446,27 @@ tANI_U32 dot11fUnpackIeLinkIdentifier(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->bssid, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->InitStaAddr, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->RespStaAddr, pBuf, 6); (void)pCtx; return status; @@ -3333,9 +4493,19 @@ tANI_U32 dot11fUnpackIeMeasurementReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->token = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp47__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3343,6 +4513,11 @@ tANI_U32 dot11fUnpackIeMeasurementReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN pDst->incapable = tmp47__ >> 1 & 0x1; pDst->refused = tmp47__ >> 2 & 0x1; pDst->unused = tmp47__ >> 3 & 0x1f; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -3355,15 +4530,35 @@ tANI_U32 dot11fUnpackIeMeasurementReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN switch (pDst->type) { case 0: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Basic.channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.Basic.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.Basic.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp48__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3375,84 +4570,209 @@ tANI_U32 dot11fUnpackIeMeasurementReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN pDst->report.Basic.unused = tmp48__ >> 5 & 0x7; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.CCA.channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.CCA.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.CCA.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.CCA.cca_busy_fraction = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; break; case 2: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.RPIHistogram.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.RPIHistogram.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi0_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi1_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi2_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi3_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi4_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi5_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi6_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi7_density = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; break; case 5: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.regClass = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.Beacon.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.Beacon.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp49__ = *pBuf; pBuf += 1; ielen -= 1; pDst->report.Beacon.condensed_PHY = tmp49__ >> 0 & 0x7f; pDst->report.Beacon.reported_frame_type = tmp49__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.RCPI = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.RSNI = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->report.Beacon.BSSID, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.antenna_id = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->report.Beacon.parent_TSF, pBuf, 0); pBuf += 4; ielen -= (tANI_U8)4; @@ -3493,9 +4813,19 @@ tANI_U32 dot11fUnpackIeMeasurementRequest(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_token = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp50__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3505,60 +4835,140 @@ tANI_U32 dot11fUnpackIeMeasurementRequest(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA pDst->report = tmp50__ >> 3 & 0x1; pDst->durationMandatory = tmp50__ >> 4 & 0x1; pDst->unused = tmp50__ >> 5 & 0x7; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; switch (pDst->measurement_type) { case 0: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Basic.channel_no = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.Basic.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.Basic.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.CCA.channel_no = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.CCA.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.CCA.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 2: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.RPIHistogram.channel_no = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.RPIHistogram.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (tANI_U8)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.RPIHistogram.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 5: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Beacon.regClass = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Beacon.channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.Beacon.randomization, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.Beacon.meas_duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Beacon.meas_mode = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.Beacon.BSSID, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; @@ -3585,9 +4995,19 @@ tANI_U32 dot11fUnpackIeMobilityDomain(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->MDID, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp51__ = *pBuf; pDst->overDSCap = tmp51__ >> 0 & 0x1; pDst->resourceReqCap = tmp51__ >> 1 & 0x1; @@ -3620,9 +5040,19 @@ tANI_U32 dot11fUnpackIeNeighborReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->bssid, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp52__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3633,6 +5063,11 @@ tANI_U32 dot11fUnpackIeNeighborReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U pDst->QosCap = tmp52__ >> 5 & 0x1; pDst->apsd = tmp52__ >> 6 & 0x1; pDst->rrm = tmp52__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp53__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3640,15 +5075,35 @@ tANI_U32 dot11fUnpackIeNeighborReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U pDst->ImmBA = tmp53__ >> 1 & 0x1; pDst->MobilityDomain = tmp53__ >> 2 & 0x1; pDst->reserved = tmp53__ >> 3 & 0x1f; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->reserved1, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->PhyType = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -3672,24 +5127,59 @@ tANI_U32 dot11fUnpackIeOBSSScanParameters(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanPassiveDwell, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanActiveDwell, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->bssChannelWidthTriggerScanInterval, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanPassiveTotalPerChannel, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanActiveTotalPerChannel, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->bssWidthChannelTransitionDelayFactor, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanActivityThreshold, pBuf, 0); (void)pCtx; return status; @@ -3705,6 +5195,11 @@ tANI_U32 dot11fUnpackIeOperatingMode(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp54__ = *pBuf; pDst->chanWidth = tmp54__ >> 0 & 0x3; pDst->reserved = tmp54__ >> 2 & 0x3; @@ -4136,9 +5631,19 @@ tANI_U32 dot11fUnpackIePTIControl(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tid = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->sequence_control, pBuf, 0); (void)pCtx; return status; @@ -4154,6 +5659,11 @@ tANI_U32 dot11fUnpackIePUBufferStatus(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp55__ = *pBuf; pDst->ac_bk_traffic_aval = tmp55__ >> 0 & 0x1; pDst->ac_be_traffic_aval = tmp55__ >> 1 & 0x1; @@ -4173,9 +5683,19 @@ tANI_U32 dot11fUnpackIePowerCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->minTxPower = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->maxTxPower = *pBuf; (void)pCtx; return status; @@ -4190,6 +5710,11 @@ tANI_U32 dot11fUnpackIePowerConstraints(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->localPowerConstraints = *pBuf; (void)pCtx; return status; @@ -4204,12 +5729,27 @@ tANI_U32 dot11fUnpackIeQBSSLoad(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->stacount, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chautil = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->avail, pBuf, 0); (void)pCtx; return status; @@ -4255,6 +5795,11 @@ tANI_U32 dot11fUnpackIeQOSCapsAp(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp56__ = *pBuf; pDst->count = tmp56__ >> 0 & 0xf; pDst->qack = tmp56__ >> 4 & 0x1; @@ -4275,6 +5820,11 @@ tANI_U32 dot11fUnpackIeQOSCapsStation(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp57__ = *pBuf; pDst->acvo_uapsd = tmp57__ >> 0 & 0x1; pDst->acvi_uapsd = tmp57__ >> 1 & 0x1; @@ -4316,15 +5866,35 @@ tANI_U32 dot11fUnpackIeQuiet(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->count = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->period = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->duration, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->offset, pBuf, 0); (void)pCtx; return status; @@ -4339,6 +5909,11 @@ tANI_U32 dot11fUnpackIeRCPIIE(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->rcpi = *pBuf; (void)pCtx; return status; @@ -4393,6 +5968,11 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -4401,6 +5981,11 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->gp_cipher_suite, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; @@ -4413,10 +5998,20 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->pwise_cipher_suite_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->pwise_cipher_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->pwise_cipher_suite_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4433,10 +6028,20 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->akm_suite_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->akm_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->akm_suite_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4452,6 +6057,11 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->RSN_Cap, pBuf, 2); pBuf += 2; ielen -= (tANI_U8)2; @@ -4463,10 +6073,20 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->pmkid_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->pmkid_count * 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->pmkid_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4481,6 +6101,11 @@ tANI_U32 dot11fUnpackIeRSN(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->gp_mgmt_cipher_suite, pBuf, 4); } (void)pCtx; @@ -4496,6 +6121,11 @@ tANI_U32 dot11fUnpackIeRSNIIE(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->rsni = *pBuf; (void)pCtx; return status; @@ -4598,12 +6228,27 @@ tANI_U32 dot11fUnpackIeTIM(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->dtim_count = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->dtim_period = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->bmpctl = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -4627,9 +6272,19 @@ tANI_U32 dot11fUnpackIeTPCReport(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tx_power = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->link_margin = *pBuf; (void)pCtx; return status; @@ -4657,12 +6312,27 @@ tANI_U32 dot11fUnpackIeTimeAdvertisement(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tAN (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->timing_capabilities = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 10)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->time_value, pBuf, 10); pBuf += 10; ielen -= (tANI_U8)10; + if (unlikely(ielen < 5)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->time_error, pBuf, 5); (void)pCtx; return status; @@ -4677,9 +6347,19 @@ tANI_U32 dot11fUnpackIeTimeoutInterval(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->timeoutType = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->timeoutValue, pBuf, 0); (void)pCtx; return status; @@ -4694,18 +6374,43 @@ tANI_U32 dot11fUnpackIeVHTExtBssLoad(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->muMIMOCapStaCount = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->ssUnderUtil = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->FortyMHzUtil = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->EightyMHzUtil = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->OneSixtyMHzUtil = *pBuf; (void)pCtx; return status; @@ -4747,6 +6452,11 @@ tANI_U32 dot11fUnpackIeWAPI(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -4755,9 +6465,19 @@ tANI_U32 dot11fUnpackIeWAPI(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->akm_suite_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < pDst->akm_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->akm_suite_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4766,9 +6486,19 @@ tANI_U32 dot11fUnpackIeWAPI(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t DOT11F_MEMCPY(pCtx, pDst->akm_suites, pBuf, ( pDst->akm_suite_count * 4 ) ); pBuf += ( pDst->akm_suite_count * 4 ); ielen -= ( pDst->akm_suite_count * 4 ); + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->unicast_cipher_suite_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < pDst->unicast_cipher_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->unicast_cipher_suite_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4777,9 +6507,19 @@ tANI_U32 dot11fUnpackIeWAPI(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t DOT11F_MEMCPY(pCtx, pDst->unicast_cipher_suites, pBuf, ( pDst->unicast_cipher_suite_count * 4 ) ); pBuf += ( pDst->unicast_cipher_suite_count * 4 ); ielen -= ( pDst->unicast_cipher_suite_count * 4 ); + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->multicast_cipher_suite, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp58__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -4792,10 +6532,20 @@ tANI_U32 dot11fUnpackIeWAPI(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, t } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->bkid_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->bkid_count * 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->bkid_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -4835,9 +6585,19 @@ tANI_U32 dot11fUnpackIeWFATPC(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->txPower = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->linkMargin = *pBuf; (void)pCtx; return status; @@ -4873,6 +6633,11 @@ tANI_U32 dot11fUnpackIeWMMCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -4881,6 +6646,11 @@ tANI_U32 dot11fUnpackIeWMMCaps(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp59__ = *pBuf; pDst->reserved = tmp59__ >> 0 & 0xf; pDst->qack = tmp59__ >> 4 & 0x1; @@ -4901,9 +6671,19 @@ tANI_U32 dot11fUnpackIeWMMInfoAp(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp60__ = *pBuf; pDst->param_set_count = tmp60__ >> 0 & 0xf; pDst->reserved = tmp60__ >> 4 & 0x7; @@ -4922,9 +6702,19 @@ tANI_U32 dot11fUnpackIeWMMInfoStation(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp61__ = *pBuf; pDst->acvo_uapsd = tmp61__ >> 0 & 0x1; pDst->acvi_uapsd = tmp61__ >> 1 & 0x1; @@ -4954,6 +6744,11 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -4962,12 +6757,27 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel pDst->present = 0; return ( status | DOT11F_BAD_FIXED_VALUE ); } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->qosInfo = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reserved2 = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp62__ = *pBuf; pBuf += 1; ielen -= 1; @@ -4975,14 +6785,29 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel pDst->acbe_acm = tmp62__ >> 4 & 0x1; pDst->acbe_aci = tmp62__ >> 5 & 0x3; pDst->unused1 = tmp62__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp63__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbe_acwmin = tmp63__ >> 0 & 0xf; pDst->acbe_acwmax = tmp63__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbe_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp64__ = *pBuf; pBuf += 1; ielen -= 1; @@ -4990,14 +6815,29 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel pDst->acbk_acm = tmp64__ >> 4 & 0x1; pDst->acbk_aci = tmp64__ >> 5 & 0x3; pDst->unused2 = tmp64__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp65__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbk_acwmin = tmp65__ >> 0 & 0xf; pDst->acbk_acwmax = tmp65__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbk_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp66__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5005,14 +6845,29 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel pDst->acvi_acm = tmp66__ >> 4 & 0x1; pDst->acvi_aci = tmp66__ >> 5 & 0x3; pDst->unused3 = tmp66__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp67__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvi_acwmin = tmp67__ >> 0 & 0xf; pDst->acvi_acwmax = tmp67__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvi_txoplimit, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp68__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5020,11 +6875,21 @@ tANI_U32 dot11fUnpackIeWMMParams(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iel pDst->acvo_acm = tmp68__ >> 4 & 0x1; pDst->acvo_aci = tmp68__ >> 5 & 0x3; pDst->unused4 = tmp68__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp69__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvo_acwmin = tmp69__ >> 0 & 0xf; pDst->acvo_acwmax = tmp69__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvo_txoplimit, pBuf, 0); (void)pCtx; return status; @@ -5039,6 +6904,11 @@ tANI_U32 dot11fUnpackIeWPA(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -5057,6 +6927,11 @@ tANI_U32 dot11fUnpackIeWPA(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD else { pDst->multicast_cipher_present = 1U; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->multicast_cipher, pBuf, 4); pBuf += 4; ielen -= (tANI_U8)4; @@ -5069,10 +6944,20 @@ tANI_U32 dot11fUnpackIeWPA(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->unicast_cipher_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->unicast_cipher_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->unicast_cipher_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5088,10 +6973,20 @@ tANI_U32 dot11fUnpackIeWPA(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->auth_suite_count, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; } + if (unlikely(ielen < pDst->auth_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->auth_suite_count > 4){ pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5106,6 +7001,11 @@ tANI_U32 dot11fUnpackIeWPA(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ielen, tD } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->caps, pBuf, 0); } (void)pCtx; @@ -5378,15 +7278,35 @@ tANI_U32 dot11fUnpackIeext_chan_switch_ann(tpAniSirGlobal pCtx, tANI_U8 *pBuf, t (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switch_mode = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->new_reg_class = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->new_channel = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switch_count = *pBuf; (void)pCtx; return status; @@ -5401,6 +7321,11 @@ tANI_U32 dot11fUnpackIefils_assoc_delay_info(tpAniSirGlobal pCtx, tANI_U8 *pBuf, (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->assoc_delay_info = *pBuf; (void)pCtx; return status; @@ -5415,9 +7340,19 @@ tANI_U32 dot11fUnpackIefils_hlp_container(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tA (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->dest_mac, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->src_mac, pBuf, 6); pBuf += 6; ielen -= (tANI_U8)6; @@ -5437,6 +7372,11 @@ tANI_U32 dot11fUnpackIefils_indication(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp70__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -5464,6 +7404,11 @@ tANI_U32 dot11fUnpackIefils_kde(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 iele (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->key_rsc, pBuf, 8); pBuf += 8; ielen -= (tANI_U8)8; @@ -5497,6 +7442,11 @@ tANI_U32 dot11fUnpackIefils_nonce(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->nonce, pBuf, 16); (void)pCtx; return status; @@ -5511,6 +7461,11 @@ tANI_U32 dot11fUnpackIefils_public_key(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_ (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->key_type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -5529,6 +7484,11 @@ tANI_U32 dot11fUnpackIefils_session(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->session, pBuf, 8); (void)pCtx; return status; @@ -5559,6 +7519,11 @@ tANI_U32 dot11fUnpackIehs20vendor_ie(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp71__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5575,11 +7540,21 @@ tANI_U32 dot11fUnpackIehs20vendor_ie(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 switch (pDst->hs_id_present) { case 1: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->hs_id.pps_mo.pps_mo_id, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; break; case 2: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->hs_id.anqp_domain.anqp_domain_id, pBuf, 0); pBuf += 2; ielen -= (tANI_U8)2; @@ -5599,6 +7574,11 @@ tANI_U32 dot11fUnpackIesec_chan_offset_ele(tpAniSirGlobal pCtx, tANI_U8 *pBuf, t (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->secondaryChannelOffset = *pBuf; (void)pCtx; return status; @@ -5623,9 +7603,19 @@ tANI_U32 dot11fUnpackIevendor2_ie(tpAniSirGlobal pCtx, tANI_U8 *pBuf, tANI_U8 ie (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->sub_type = *pBuf; pBuf += 1; ielen -= (tANI_U8)1; @@ -23653,6 +25643,9 @@ tANI_U32 dot11fPackTlvVersion2(tpAniSirGlobal pCtx, tmp80__ = 0U; tmp80__ |= ( pSrc->minor << 0 ); tmp80__ |= ( pSrc->major << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp80__; *pnConsumed += 1; pBuf += 1; @@ -24874,6 +26867,9 @@ tANI_U32 dot11fPackTlvVersion(tpAniSirGlobal pCtx, tmp81__ = 0U; tmp81__ |= ( pSrc->minor << 0 ); tmp81__ |= ( pSrc->major << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp81__; *pnConsumed += 1; pBuf += 1; @@ -25029,6 +27025,9 @@ tANI_U32 dot11fPackIeGTK(tpAniSirGlobal pCtx, tmp82__ = 0U; tmp82__ |= ( pSrc->keyId << 0 ); tmp82__ |= ( pSrc->reserved << 2 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp82__, 0); *pnConsumed += 2; pBuf += 2; @@ -25539,6 +27538,9 @@ tANI_U32 dot11fPackIeRRMEnabledCap(tpAniSirGlobal pCtx, tmp83__ |= ( pSrc->BeaconActive << 5 ); tmp83__ |= ( pSrc->BeaconTable << 6 ); tmp83__ |= ( pSrc->BeaconRepCond << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp83__; *pnConsumed += 1; pBuf += 1; @@ -25552,6 +27554,9 @@ tANI_U32 dot11fPackIeRRMEnabledCap(tpAniSirGlobal pCtx, tmp84__ |= ( pSrc->LCIAzimuth << 5 ); tmp84__ |= ( pSrc->TCMCapability << 6 ); tmp84__ |= ( pSrc->triggeredTCM << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp84__; *pnConsumed += 1; pBuf += 1; @@ -25561,6 +27566,9 @@ tANI_U32 dot11fPackIeRRMEnabledCap(tpAniSirGlobal pCtx, tmp85__ |= ( pSrc->RRMMIBEnabled << 1 ); tmp85__ |= ( pSrc->operatingChanMax << 2 ); tmp85__ |= ( pSrc->nonOperatinChanMax << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp85__; *pnConsumed += 1; pBuf += 1; @@ -25572,6 +27580,9 @@ tANI_U32 dot11fPackIeRRMEnabledCap(tpAniSirGlobal pCtx, tmp86__ |= ( pSrc->RCPIMeasurement << 5 ); tmp86__ |= ( pSrc->RSNIMeasurement << 6 ); tmp86__ |= ( pSrc->BssAvgAccessDelay << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp86__; *pnConsumed += 1; pBuf += 1; @@ -25582,6 +27593,9 @@ tANI_U32 dot11fPackIeRRMEnabledCap(tpAniSirGlobal pCtx, tmp87__ |= ( pSrc->fine_time_meas_rpt << 2 ); tmp87__ |= ( pSrc->lci_capability << 3 ); tmp87__ |= ( pSrc->reserved << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp87__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -25679,6 +27693,9 @@ tANI_U32 dot11fPackIeSchedule(tpAniSirGlobal pCtx, tmp88__ |= ( pSrc->tsid << 1 ); tmp88__ |= ( pSrc->direction << 5 ); tmp88__ |= ( pSrc->reserved << 7 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp88__, 0); *pnConsumed += 2; pBuf += 2; @@ -25899,6 +27916,9 @@ tANI_U32 dot11fPackIeTSPEC(tpAniSirGlobal pCtx, tmp89__ |= ( pSrc->psb << 10 ); tmp89__ |= ( pSrc->user_priority << 11 ); tmp89__ |= ( pSrc->tsinfo_ack_pol << 14 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp89__, 0); *pnConsumed += 2; pBuf += 2; @@ -25906,6 +27926,9 @@ tANI_U32 dot11fPackIeTSPEC(tpAniSirGlobal pCtx, tmp90__ = 0U; tmp90__ |= ( pSrc->schedule << 0 ); tmp90__ |= ( pSrc->unused << 1 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp90__; *pnConsumed += 1; pBuf += 1; @@ -25913,6 +27936,9 @@ tANI_U32 dot11fPackIeTSPEC(tpAniSirGlobal pCtx, tmp91__ = 0U; tmp91__ |= ( pSrc->size << 0 ); tmp91__ |= ( pSrc->fixed << 15 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp91__, 0); *pnConsumed += 2; pBuf += 2; @@ -26010,6 +28036,9 @@ tANI_U32 dot11fPackIeVHTCaps(tpAniSirGlobal pCtx, tmp92__ |= ( pSrc->rxAntPattern << 28 ); tmp92__ |= ( pSrc->txAntPattern << 29 ); tmp92__ |= ( pSrc->reserved1 << 30 ); + if (unlikely(nBuf < 4)) + return DOT11F_INCOMPLETE_IE; + frameshtonl(pCtx, pBuf, tmp92__, 0); *pnConsumed += 4; pBuf += 4; @@ -26020,6 +28049,9 @@ tANI_U32 dot11fPackIeVHTCaps(tpAniSirGlobal pCtx, tmp93__ = 0U; tmp93__ |= ( pSrc->rxHighSupDataRate << 0 ); tmp93__ |= ( pSrc->reserved2 << 13 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp93__, 0); *pnConsumed += 2; pBuf += 2; @@ -26030,6 +28062,9 @@ tANI_U32 dot11fPackIeVHTCaps(tpAniSirGlobal pCtx, tmp94__ = 0U; tmp94__ |= ( pSrc->txSupDataRate << 0 ); tmp94__ |= ( pSrc->reserved3 << 13 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp94__, 0); *pnConsumed += 2; // fieldsEndFlag = 1 @@ -26119,6 +28154,9 @@ tANI_U32 dot11fPackIeWMMSchedule(tpAniSirGlobal pCtx, tmp95__ |= ( pSrc->tsid << 1 ); tmp95__ |= ( pSrc->direction << 5 ); tmp95__ |= ( pSrc->reserved << 7 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp95__, 0); *pnConsumed += 2; pBuf += 2; @@ -26391,6 +28429,9 @@ tANI_U32 dot11fPackIeWMMTSPEC(tpAniSirGlobal pCtx, tmp96__ |= ( pSrc->psb << 10 ); tmp96__ |= ( pSrc->user_priority << 11 ); tmp96__ |= ( pSrc->tsinfo_ack_pol << 14 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp96__, 0); *pnConsumed += 2; pBuf += 2; @@ -26398,6 +28439,9 @@ tANI_U32 dot11fPackIeWMMTSPEC(tpAniSirGlobal pCtx, tmp97__ = 0U; tmp97__ |= ( pSrc->tsinfo_rsvd << 0 ); tmp97__ |= ( pSrc->burst_size_defn << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp97__; *pnConsumed += 1; pBuf += 1; @@ -26405,6 +28449,9 @@ tANI_U32 dot11fPackIeWMMTSPEC(tpAniSirGlobal pCtx, tmp98__ = 0U; tmp98__ |= ( pSrc->size << 0 ); tmp98__ |= ( pSrc->fixed << 15 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp98__, 0); *pnConsumed += 2; pBuf += 2; @@ -26802,6 +28849,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp99__ |= ( pSrc->acbe_acm << 4 ); tmp99__ |= ( pSrc->acbe_aci << 5 ); tmp99__ |= ( pSrc->unused1 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp99__; *pnConsumed += 1; pBuf += 1; @@ -26809,6 +28859,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp100__ = 0U; tmp100__ |= ( pSrc->acbe_acwmin << 0 ); tmp100__ |= ( pSrc->acbe_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp100__; *pnConsumed += 1; pBuf += 1; @@ -26821,6 +28874,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp101__ |= ( pSrc->acbk_acm << 4 ); tmp101__ |= ( pSrc->acbk_aci << 5 ); tmp101__ |= ( pSrc->unused2 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp101__; *pnConsumed += 1; pBuf += 1; @@ -26828,6 +28884,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp102__ = 0U; tmp102__ |= ( pSrc->acbk_acwmin << 0 ); tmp102__ |= ( pSrc->acbk_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp102__; *pnConsumed += 1; pBuf += 1; @@ -26840,6 +28899,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp103__ |= ( pSrc->acvi_acm << 4 ); tmp103__ |= ( pSrc->acvi_aci << 5 ); tmp103__ |= ( pSrc->unused3 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp103__; *pnConsumed += 1; pBuf += 1; @@ -26847,6 +28909,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp104__ = 0U; tmp104__ |= ( pSrc->acvi_acwmin << 0 ); tmp104__ |= ( pSrc->acvi_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp104__; *pnConsumed += 1; pBuf += 1; @@ -26859,6 +28924,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp105__ |= ( pSrc->acvo_acm << 4 ); tmp105__ |= ( pSrc->acvo_aci << 5 ); tmp105__ |= ( pSrc->unused4 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp105__; *pnConsumed += 1; pBuf += 1; @@ -26866,6 +28934,9 @@ tANI_U32 dot11fPackIeEDCAParamSet(tpAniSirGlobal pCtx, tmp106__ = 0U; tmp106__ |= ( pSrc->acvo_acwmin << 0 ); tmp106__ |= ( pSrc->acvo_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp106__; *pnConsumed += 1; pBuf += 1; @@ -26906,6 +28977,9 @@ tANI_U32 dot11fPackIeERPInfo(tpAniSirGlobal pCtx, tmp107__ |= ( pSrc->use_prot << 1 ); tmp107__ |= ( pSrc->barker_preamble << 2 ); tmp107__ |= ( pSrc->unused << 3 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp107__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -26990,6 +29064,9 @@ tANI_U32 dot11fPackIeESERadMgmtCap(tpAniSirGlobal pCtx, tmp108__ = 0U; tmp108__ |= ( pSrc->mbssid_mask << 0 ); tmp108__ |= ( pSrc->reserved << 3 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp108__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -27365,6 +29442,9 @@ tANI_U32 dot11fPackIeFTInfo(tpAniSirGlobal pCtx, tmp109__ = 0U; tmp109__ |= ( pSrc->reserved << 0 ); tmp109__ |= ( pSrc->IECount << 8 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp109__, 0); *pnConsumed += 2; pBuf += 2; @@ -27420,6 +29500,9 @@ tANI_U32 dot11fPackIeHT2040BSSCoexistence(tpAniSirGlobal pCtx, tmp110__ |= ( pSrc->obssScanExemptionReq << 3 ); tmp110__ |= ( pSrc->obssScanExemptionGrant << 4 ); tmp110__ |= ( pSrc->unused << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp110__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -27504,6 +29587,9 @@ tANI_U32 dot11fPackIeHTCaps(tpAniSirGlobal pCtx, tmp111__ |= ( pSrc->psmp << 13 ); tmp111__ |= ( pSrc->stbcControlFrame << 14 ); tmp111__ |= ( pSrc->lsigTXOPProtection << 15 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp111__, 0); *pnConsumed += 2; pBuf += 2; @@ -27512,6 +29598,9 @@ tANI_U32 dot11fPackIeHTCaps(tpAniSirGlobal pCtx, tmp112__ |= ( pSrc->maxRxAMPDUFactor << 0 ); tmp112__ |= ( pSrc->mpduDensity << 2 ); tmp112__ |= ( pSrc->reserved1 << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp112__; *pnConsumed += 1; pBuf += 1; @@ -27525,6 +29614,9 @@ tANI_U32 dot11fPackIeHTCaps(tpAniSirGlobal pCtx, tmp113__ |= ( pSrc->reserved2 << 3 ); tmp113__ |= ( pSrc->mcsFeedback << 8 ); tmp113__ |= ( pSrc->reserved3 << 10 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp113__, 0); *pnConsumed += 2; pBuf += 2; @@ -27546,6 +29638,9 @@ tANI_U32 dot11fPackIeHTCaps(tpAniSirGlobal pCtx, tmp114__ |= ( pSrc->uncompressedSteeringMatrixBFAntennae << 21 ); tmp114__ |= ( pSrc->compressedSteeringMatrixBFAntennae << 23 ); tmp114__ |= ( pSrc->reserved4 << 25 ); + if (unlikely(nBuf < 4)) + return DOT11F_INCOMPLETE_IE; + frameshtonl(pCtx, pBuf, tmp114__, 0); *pnConsumed += 4; pBuf += 4; @@ -27559,6 +29654,9 @@ tANI_U32 dot11fPackIeHTCaps(tpAniSirGlobal pCtx, tmp115__ |= ( pSrc->rxAS << 5 ); tmp115__ |= ( pSrc->txSoundingPPDUs << 6 ); tmp115__ |= ( pSrc->reserved5 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp115__; *pnConsumed += 1; pBuf += 1; @@ -27605,6 +29703,9 @@ tANI_U32 dot11fPackIeHTInfo(tpAniSirGlobal pCtx, tmp116__ |= ( pSrc->rifsMode << 3 ); tmp116__ |= ( pSrc->controlledAccessOnly << 4 ); tmp116__ |= ( pSrc->serviceIntervalGranularity << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp116__; *pnConsumed += 1; pBuf += 1; @@ -27615,6 +29716,9 @@ tANI_U32 dot11fPackIeHTInfo(tpAniSirGlobal pCtx, tmp117__ |= ( pSrc->transmitBurstLimit << 3 ); tmp117__ |= ( pSrc->obssNonHTStaPresent << 4 ); tmp117__ |= ( pSrc->reserved << 5 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp117__, 0); *pnConsumed += 2; pBuf += 2; @@ -27627,6 +29731,9 @@ tANI_U32 dot11fPackIeHTInfo(tpAniSirGlobal pCtx, tmp118__ |= ( pSrc->pcoActive << 10 ); tmp118__ |= ( pSrc->pcoPhase << 11 ); tmp118__ |= ( pSrc->reserved2 << 12 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp118__, 0); *pnConsumed += 2; pBuf += 2; @@ -27743,6 +29850,9 @@ tANI_U32 dot11fPackIeMeasurementReport(tpAniSirGlobal pCtx, tmp119__ |= ( pSrc->incapable << 1 ); tmp119__ |= ( pSrc->refused << 2 ); tmp119__ |= ( pSrc->unused << 3 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp119__; *pnConsumed += 1; pBuf += 1; @@ -27770,6 +29880,9 @@ tANI_U32 dot11fPackIeMeasurementReport(tpAniSirGlobal pCtx, tmp120__ |= ( pSrc->report.Basic.rader << 3 ); tmp120__ |= ( pSrc->report.Basic.unmeasured << 4 ); tmp120__ |= ( pSrc->report.Basic.unused << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp120__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -27840,6 +29953,9 @@ tANI_U32 dot11fPackIeMeasurementReport(tpAniSirGlobal pCtx, tmp121__ = 0U; tmp121__ |= ( pSrc->report.Beacon.condensed_PHY << 0 ); tmp121__ |= ( pSrc->report.Beacon.reported_frame_type << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp121__; *pnConsumed += 1; pBuf += 1; @@ -27910,6 +30026,9 @@ tANI_U32 dot11fPackIeMeasurementRequest(tpAniSirGlobal pCtx, tmp122__ |= ( pSrc->report << 3 ); tmp122__ |= ( pSrc->durationMandatory << 4 ); tmp122__ |= ( pSrc->unused << 5 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp122__; *pnConsumed += 1; pBuf += 1; @@ -28015,6 +30134,9 @@ tANI_U32 dot11fPackIeMobilityDomain(tpAniSirGlobal pCtx, tmp123__ |= ( pSrc->overDSCap << 0 ); tmp123__ |= ( pSrc->resourceReqCap << 1 ); tmp123__ |= ( pSrc->reserved << 2 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp123__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -28061,6 +30183,9 @@ tANI_U32 dot11fPackIeNeighborReport(tpAniSirGlobal pCtx, tmp124__ |= ( pSrc->QosCap << 5 ); tmp124__ |= ( pSrc->apsd << 6 ); tmp124__ |= ( pSrc->rrm << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp124__; *pnConsumed += 1; pBuf += 1; @@ -28070,6 +30195,9 @@ tANI_U32 dot11fPackIeNeighborReport(tpAniSirGlobal pCtx, tmp125__ |= ( pSrc->ImmBA << 1 ); tmp125__ |= ( pSrc->MobilityDomain << 2 ); tmp125__ |= ( pSrc->reserved << 3 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp125__; *pnConsumed += 1; pBuf += 1; @@ -28174,6 +30302,9 @@ tANI_U32 dot11fPackIeOperatingMode(tpAniSirGlobal pCtx, tmp126__ |= ( pSrc->reserved << 2 ); tmp126__ |= ( pSrc->rxNSS << 4 ); tmp126__ |= ( pSrc->rxNSSType << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp126__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -29143,6 +31274,9 @@ tANI_U32 dot11fPackIePUBufferStatus(tpAniSirGlobal pCtx, tmp127__ |= ( pSrc->ac_vi_traffic_aval << 2 ); tmp127__ |= ( pSrc->ac_vo_traffic_aval << 3 ); tmp127__ |= ( pSrc->reserved << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp127__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -29322,6 +31456,9 @@ tANI_U32 dot11fPackIeQOSCapsAp(tpAniSirGlobal pCtx, tmp128__ |= ( pSrc->qreq << 5 ); tmp128__ |= ( pSrc->txopreq << 6 ); tmp128__ |= ( pSrc->reserved << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp128__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -29362,6 +31499,9 @@ tANI_U32 dot11fPackIeQOSCapsStation(tpAniSirGlobal pCtx, tmp129__ |= ( pSrc->qack << 4 ); tmp129__ |= ( pSrc->max_sp_length << 5 ); tmp129__ |= ( pSrc->more_data_ack << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp129__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -30042,6 +32182,9 @@ tANI_U32 dot11fPackIeWAPI(tpAniSirGlobal pCtx, tmp130__ = 0U; tmp130__ |= ( pSrc->preauth << 0 ); tmp130__ |= ( pSrc->reserved << 1 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp130__, 0); *pnConsumed += 2; pBuf += 2; @@ -30213,6 +32356,9 @@ tANI_U32 dot11fPackIeWMMCaps(tpAniSirGlobal pCtx, tmp131__ |= ( pSrc->queue_request << 5 ); tmp131__ |= ( pSrc->txop_request << 6 ); tmp131__ |= ( pSrc->more_ack << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp131__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -30262,6 +32408,9 @@ tANI_U32 dot11fPackIeWMMInfoAp(tpAniSirGlobal pCtx, tmp132__ |= ( pSrc->param_set_count << 0 ); tmp132__ |= ( pSrc->reserved << 4 ); tmp132__ |= ( pSrc->uapsd << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp132__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -30315,6 +32464,9 @@ tANI_U32 dot11fPackIeWMMInfoStation(tpAniSirGlobal pCtx, tmp133__ |= ( pSrc->reserved1 << 4 ); tmp133__ |= ( pSrc->max_sp_length << 5 ); tmp133__ |= ( pSrc->reserved2 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp133__; *pnConsumed += 1; // fieldsEndFlag = 1 @@ -30378,6 +32530,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp134__ |= ( pSrc->acbe_acm << 4 ); tmp134__ |= ( pSrc->acbe_aci << 5 ); tmp134__ |= ( pSrc->unused1 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp134__; *pnConsumed += 1; pBuf += 1; @@ -30385,6 +32540,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp135__ = 0U; tmp135__ |= ( pSrc->acbe_acwmin << 0 ); tmp135__ |= ( pSrc->acbe_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp135__; *pnConsumed += 1; pBuf += 1; @@ -30397,6 +32555,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp136__ |= ( pSrc->acbk_acm << 4 ); tmp136__ |= ( pSrc->acbk_aci << 5 ); tmp136__ |= ( pSrc->unused2 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp136__; *pnConsumed += 1; pBuf += 1; @@ -30404,6 +32565,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp137__ = 0U; tmp137__ |= ( pSrc->acbk_acwmin << 0 ); tmp137__ |= ( pSrc->acbk_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp137__; *pnConsumed += 1; pBuf += 1; @@ -30416,6 +32580,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp138__ |= ( pSrc->acvi_acm << 4 ); tmp138__ |= ( pSrc->acvi_aci << 5 ); tmp138__ |= ( pSrc->unused3 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp138__; *pnConsumed += 1; pBuf += 1; @@ -30423,6 +32590,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp139__ = 0U; tmp139__ |= ( pSrc->acvi_acwmin << 0 ); tmp139__ |= ( pSrc->acvi_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp139__; *pnConsumed += 1; pBuf += 1; @@ -30435,6 +32605,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp140__ |= ( pSrc->acvo_acm << 4 ); tmp140__ |= ( pSrc->acvo_aci << 5 ); tmp140__ |= ( pSrc->unused4 << 7 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp140__; *pnConsumed += 1; pBuf += 1; @@ -30442,6 +32615,9 @@ tANI_U32 dot11fPackIeWMMParams(tpAniSirGlobal pCtx, tmp141__ = 0U; tmp141__ |= ( pSrc->acvo_acwmin << 0 ); tmp141__ |= ( pSrc->acvo_acwmax << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp141__; *pnConsumed += 1; pBuf += 1; @@ -31086,6 +33262,9 @@ tANI_U32 dot11fPackIefils_indication(tpAniSirGlobal pCtx, tmp142__ |= ( pSrc->is_fils_sk_auth_pfs_supported << 10 ); tmp142__ |= ( pSrc->is_pk_auth_supported << 11 ); tmp142__ |= ( pSrc->reserved << 12 ); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp142__, 0); *pnConsumed += 2; pBuf += 2; @@ -31334,6 +33513,9 @@ tANI_U32 dot11fPackIehs20vendor_ie(tpAniSirGlobal pCtx, tmp143__ |= ( pSrc->hs_id_present << 1 ); tmp143__ |= ( pSrc->reserved << 3 ); tmp143__ |= ( pSrc->release_num << 4 ); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp143__; *pnConsumed += 1; pBuf += 1; |