commit 02b08ed5c5b7d67ffd13d3f6f0329b73ff2a61e8
author Abhishek Singh <absingh@codeaurora.org> Wed Sep 26 15:04:58 2018 +0530
committer Abhishek Singh <absingh@codeaurora.org> Mon Oct 01 14:13:56 2018 +0530
tree 4bb7335872ad95379500e491edf56da74b5f2326
parent f852cc5647db2d3f56aff9e4c52679f285b7b74c

prima: Fix parsing of WSC IE

Fix parsing of WSC IE in limLookupNaddHashEntry
and csrCheckNSaveWscIe

Change-Id: I66fd7d91091486b94eb050e5d5c877c1a4f9c840
CRs-Fixed: 2321814

CORE/MAC/src/pe/lim/limScanResultUtils.c

diff --git a/CORE/MAC/src/pe/lim/limScanResultUtils.c b/CORE/MAC/src/pe/lim/limScanResultUtils.c
index f166ec7..5d1017f 100644
--- a/CORE/MAC/src/pe/lim/limScanResultUtils.c
+++ b/CORE/MAC/src/pe/lim/limScanResultUtils.c
@@ -709,7 +709,7 @@
     tANI_U8                found = false;
     tLimScanResultNode *ptemp, *pprev;
     tSirMacCapabilityInfo *pSirCap, *pSirCapTemp;
-    int idx, len;
+    int len, elem_id, elem_len;
     tANI_U8 *pbIe;
     tANI_S8  rssi = 0;
 
@@ -757,31 +757,44 @@
                    rssi = ptemp->bssDescription.rssi;
                 }
 
-                if(pBssDescr->bssDescription.fProbeRsp != ptemp->bssDescription.fProbeRsp)
+                if(pBssDescr->bssDescription.fProbeRsp !=
+                                             ptemp->bssDescription.fProbeRsp)
                 {
                     //We get a different, save the old frame WSC IE if it is there
-                    idx = 0;
-                    len = ptemp->bssDescription.length - sizeof(tSirBssDescription) + 
-                       sizeof(tANI_U16) + sizeof(tANI_U32) - DOT11F_IE_WSCPROBERES_MIN_LEN - 2;
+                    len = ptemp->bssDescription.length -
+                                 sizeof(tSirBssDescription) +
+                                 sizeof(tANI_U16) + sizeof(tANI_U32);
                     pbIe = (tANI_U8 *)ptemp->bssDescription.ieFields;
                     //Save WPS IE if it exists
                     pBssDescr->bssDescription.WscIeLen = 0;
-                    while(idx < len)
+                    while (len >= 2)
                     {
-                        if((DOT11F_EID_WSCPROBERES == pbIe[0]) &&
-                           (0x00 == pbIe[2]) && (0x50 == pbIe[3]) && (0xf2 == pbIe[4]) && (0x04 == pbIe[5]))
+                        elem_id = pbIe[0];
+                        elem_len = pbIe[1];
+                        len -= 2;
+                        if (elem_len > len) {
+                            limLog(pMac, LOGW, FL("Invalid eid: %d elem_len: %d left: %d"),
+                                   elem_id, elem_len, len);
+                            return eHAL_STATUS_FAILURE;
+                        }
+                        if ((elem_id == DOT11F_EID_WSCPROBERES) &&
+                            (elem_len >= DOT11F_IE_WSCPROBERES_MIN_LEN) &&
+                            ((pbIe[2] == 0x00) && (pbIe[3] == 0x50) &&
+                             (pbIe[4] == 0xf2) &&
+                             (pbIe[5] == 0x04)))
                         {
-                            //Found it
-                            if((DOT11F_IE_WSCPROBERES_MAX_LEN - 2) >= pbIe[1])
+                            if((elem_len + 2) <= WSCIE_PROBE_RSP_LEN)
                             {
-                                vos_mem_copy(pBssDescr->bssDescription.WscIeProbeRsp,
-                                   pbIe, pbIe[1] + 2);
-                                pBssDescr->bssDescription.WscIeLen = pbIe[1] + 2;
+                                vos_mem_copy(
+                                        pBssDescr->bssDescription.WscIeProbeRsp,
+                                        pbIe, elem_len + 2);
+                                pBssDescr->bssDescription.WscIeLen =
+                                                          elem_len + 2;
                             }
                             break;
                         }
-                        idx += pbIe[1] + 2;
-                        pbIe += pbIe[1] + 2;
+                        len -= elem_len;
+                        pbIe += (elem_len + 2);
                     }
                 }
                 /*