Merge branch 'dev/FP2N-265' into staging/n/fp2
* dev/FP2N-265:
wlan: Fix OOB read in sme_RrmProcessBeaconReportReqInd
wlan: Fix possible integer underflow in cfg80211_rx_mgmt
wlan: Fix possible buffer overflow in sirConvertAddtsRsp2Struct
wlan: Fix OOB read in lim_process_deauth_frame
wlan: Fix integer truncation in convert_wsc_opaque
wlan: Fix buffer overwrite in csrRoamCheckForLinkStatusChange
wlan: Avoid int overflow in csr_scan_save_preferred_network_found()
Change-Id: I1d22543fd3e9a2ded22ae19bd6ee622d8d8d3870
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_main.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_main.c
index 96af5eb..9964743 100755
--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_main.c
+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_main.c
@@ -11695,6 +11695,8 @@
hdd_context_t *hdd_ctx = NULL;
hdd_adapter_t *adapter = NULL;
v_CONTEXT_t vos_context = NULL;
+ struct ieee80211_mgmt *mgmt =
+ (struct ieee80211_mgmt *)frame_ind->frameBuf;
/* Get the global VOSS context.*/
vos_context = vos_get_global_context(VOS_MODULE_ID_SYS, NULL);
@@ -11710,6 +11712,10 @@
{
return;
}
+ if (frame_ind->frameLen < ieee80211_hdrlen(mgmt->frame_control)) {
+ hddLog(LOGE, FL(" Invalid frame length"));
+ return;
+ }
adapter = hdd_get_adapter_by_sme_session_id(hdd_ctx,
frame_ind->sessionId);
diff --git a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
index a7d4df8..3ce107b4 100644
--- a/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
+++ b/drivers/staging/prima/CORE/MAC/src/pe/lim/limProcessDeauthFrame.c
@@ -68,15 +68,22 @@
tpDphHashNode pStaDs;
tpPESession pRoamSessionEntry=NULL;
tANI_U8 roamSessionId;
-#ifdef WLAN_FEATURE_11W
+
tANI_U32 frameLen;
-#endif
+
pHdr = WDA_GET_RX_MAC_HEADER(pRxPacketInfo);
pBody = WDA_GET_RX_MPDU_DATA(pRxPacketInfo);
+ frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
+ if (frameLen < sizeof(reasonCode)) {
+ PELOGE(limLog(pMac, LOGE,
+ FL("Invalid framelen received %d"), frameLen);)
+ return;
+ }
+
if ((eLIM_STA_ROLE == psessionEntry->limSystemRole) && (eLIM_SME_WT_DEAUTH_STATE == psessionEntry->limSmeState))
{
@@ -122,7 +129,6 @@
PELOGE(limLog(pMac, LOGE, FL("received an unprotected deauth from AP"));)
// If the frame received is unprotected, forward it to the supplicant to initiate
// an SA query
- frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
//send the unprotected frame indication to SME
limSendSmeUnprotectedMgmtFrameInd( pMac, pHdr->fc.subType,
diff --git a/drivers/staging/prima/CORE/SME/src/csr/csrApiRoam.c b/drivers/staging/prima/CORE/SME/src/csr/csrApiRoam.c
index fc8456d..cd5f25f 100644
--- a/drivers/staging/prima/CORE/SME/src/csr/csrApiRoam.c
+++ b/drivers/staging/prima/CORE/SME/src/csr/csrApiRoam.c
@@ -10117,11 +10117,14 @@
if(pNewBss)
{
vos_mem_copy(pIbssLog->bssid, pNewBss->bssId, 6);
- if(pNewBss->ssId.length)
- {
- vos_mem_copy(pIbssLog->ssid, pNewBss->ssId.ssId,
- pNewBss->ssId.length);
- }
+ if(pNewBss->ssId.length >
+ VOS_LOG_MAX_SSID_SIZE)
+ pNewBss->ssId.length =
+ VOS_LOG_MAX_SSID_SIZE;
+
+ vos_mem_copy(pIbssLog->ssid,
+ pNewBss->ssId.ssId,
+ pNewBss->ssId.length);
pIbssLog->operatingChannel = pNewBss->channelNumber;
}
if(HAL_STATUS_SUCCESS(ccmCfgGetInt(pMac, WNI_CFG_BEACON_INTERVAL, &bi)))
diff --git a/drivers/staging/prima/CORE/SME/src/csr/csrApiScan.c b/drivers/staging/prima/CORE/SME/src/csr/csrApiScan.c
index 06a34c6..874c223 100644
--- a/drivers/staging/prima/CORE/SME/src/csr/csrApiScan.c
+++ b/drivers/staging/prima/CORE/SME/src/csr/csrApiScan.c
@@ -8400,6 +8400,13 @@
uLen = pPrefNetworkFoundInd->frameLength -
(SIR_MAC_HDR_LEN_3A + SIR_MAC_B_PR_SSID_OFFSET);
}
+ if (uLen > (UINT_MAX - sizeof(tCsrScanResult))) {
+ smsLog(pMac, LOGE,
+ FL("Incorrect len: %d, may leads to int overflow, uLen %d"),
+ pPrefNetworkFoundInd->frameLength, uLen);
+ vos_mem_vfree(pParsedFrame);
+ return eHAL_STATUS_FAILURE;
+ }
pScanResult = vos_mem_malloc(sizeof(tCsrScanResult) + uLen);
if ( NULL == pScanResult )
diff --git a/drivers/staging/prima/CORE/SME/src/rrm/sme_rrm.c b/drivers/staging/prima/CORE/SME/src/rrm/sme_rrm.c
index 5988d67..841db0d 100644
--- a/drivers/staging/prima/CORE/SME/src/rrm/sme_rrm.c
+++ b/drivers/staging/prima/CORE/SME/src/rrm/sme_rrm.c
@@ -817,6 +817,11 @@
#if defined WLAN_VOWIFI_DEBUG
smsLog( pMac, LOGE, "Received Beacon report request ind Channel = %d", pBeaconReq->channelInfo.channelNum );
#endif
+ if (pBeaconReq->channelList.numChannels > SIR_ESE_MAX_MEAS_IE_REQS) {
+ smsLog( pMac, LOGP, "Beacon report request numChannels: %u exceeds "
+ "max num channels", pBeaconReq->channelList.numChannels);
+ return;
+ }
//section 11.10.8.1 (IEEE Std 802.11k-2008)
//channel 0 and 255 has special meaning.
if( (pBeaconReq->channelInfo.channelNum == 0) ||
diff --git a/drivers/staging/prima/CORE/SYS/legacy/src/utils/src/parserApi.c b/drivers/staging/prima/CORE/SYS/legacy/src/utils/src/parserApi.c
index ca09447..e99a28e 100644
--- a/drivers/staging/prima/CORE/SYS/legacy/src/utils/src/parserApi.c
+++ b/drivers/staging/prima/CORE/SYS/legacy/src/utils/src/parserApi.c
@@ -3914,7 +3914,7 @@
if ( addts.num_WMMTCLAS )
{
j = (tANI_U8)(pAddTs->numTclas + addts.num_WMMTCLAS);
- if ( SIR_MAC_TCLASIE_MAXNUM > j ) j = SIR_MAC_TCLASIE_MAXNUM;
+ if ( SIR_MAC_TCLASIE_MAXNUM < j ) j = SIR_MAC_TCLASIE_MAXNUM;
for ( i = pAddTs->numTclas; i < j; ++i )
{
@@ -4096,7 +4096,7 @@
if ( addts.num_WMMTCLAS )
{
j = (tANI_U8)(pAddTs->numTclas + addts.num_WMMTCLAS);
- if ( SIR_MAC_TCLASIE_MAXNUM > j ) j = SIR_MAC_TCLASIE_MAXNUM;
+ if ( SIR_MAC_TCLASIE_MAXNUM < j ) j = SIR_MAC_TCLASIE_MAXNUM;
for ( i = pAddTs->numTclas; i < j; ++i )
{
diff --git a/drivers/staging/prima/CORE/SYS/legacy/src/utils/src/utilsParser.c b/drivers/staging/prima/CORE/SYS/legacy/src/utils/src/utilsParser.c
index 98b09b6..d18004d 100644
--- a/drivers/staging/prima/CORE/SYS/legacy/src/utils/src/utilsParser.c
+++ b/drivers/staging/prima/CORE/SYS/legacy/src/utils/src/utilsParser.c
@@ -136,7 +136,7 @@
{
// This is awful, I know, but the old code just rammed the IE into
// an opaque array. Note that we need to explicitly add the vendorIE and OUI !
- tANI_U8 curAddIELen = pOld->length;
+ tANI_U16 curAddIELen = pOld->length;
pOld->length = curAddIELen + pNew->num_data + 6;
pOld->addIEdata[ curAddIELen++ ] = 0xdd;
@@ -156,7 +156,7 @@
{
// This is awful, I know, but the old code just rammed the IE into
// an opaque array. Note that we need to explicitly add the vendorIE and OUI !
- tANI_U8 curAddIELen = pOld->length;
+ tANI_U16 curAddIELen = pOld->length;
pOld->length = curAddIELen + pNew->num_data + 6;
pOld->addIEdata[ curAddIELen++ ] = 0xdd;
@@ -177,7 +177,7 @@
{
// This is awful, I know, but the old code just rammed the IE into
// an opaque array. Note that we need to explicitly add the vendorIE and OUI !
- tANI_U8 curAddIELen = pOld->length;
+ tANI_U16 curAddIELen = pOld->length;
pOld->length = curAddIELen + pNew->num_data + 6;
pOld->addIEdata[ curAddIELen++ ] = 0xdd;