wlan: Drop invalid AMSDU subframe
Drop AMSDU subframes if AMSDU subframe header's DA
is equal to LLC header.
Change-Id: Ieeb680cd395f275fe2b3bd98afdf4a2e57609b10
CRs-Fixed: 2867994
Issue: FP3SEC-47
(cherry picked from commit d7bbcbc43fbf44fbc94a1be654641e20c11d3c94)
diff --git a/CORE/TL/src/wlan_qct_tl.c b/CORE/TL/src/wlan_qct_tl.c
index bc24d80..2b0584f 100644
--- a/CORE/TL/src/wlan_qct_tl.c
+++ b/CORE/TL/src/wlan_qct_tl.c
@@ -8928,6 +8928,7 @@
v_PVOID_t aucBDHeader;
v_U8_t ucTid;
WLANTL_RxMetaInfoType wRxMetaInfo;
+ v_U8_t ucAsf; /* AMSDU sub frame */
/*- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*/
/*------------------------------------------------------------------------
@@ -8978,6 +8979,7 @@
usMPDULen = (v_U16_t)WDA_GET_RX_MPDU_LEN(aucBDHeader);
ucMPDUHLen = (v_U8_t)WDA_GET_RX_MPDU_HEADER_LEN(aucBDHeader);
ucTid = (v_U8_t)WDA_GET_RX_TID(aucBDHeader);
+ ucAsf = (v_U8_t)WDA_GET_RX_ASF(aucBDHeader);
vos_pkt_get_packet_length( vosDataBuff, &usPktLen);
@@ -8995,6 +8997,14 @@
return VOS_STATUS_SUCCESS;
}
+ if (ucAsf) {
+ vos_pkt_return_packet(vosDataBuff);
+ *pvosDataBuff = NULL;
+ VOS_TRACE(VOS_MODULE_ID_TL, VOS_TRACE_LEVEL_ERROR,
+ "WLAN TL: AMSDU frames are not allowed while authentication - dropping");
+ return VOS_STATUS_SUCCESS;
+ }
+
vosStatus = WLANTL_GetEtherType(aucBDHeader,vosDataBuff,ucMPDUHLen,&usEtherType);
if( VOS_IS_STATUS_SUCCESS(vosStatus) )
diff --git a/CORE/TL/src/wlan_qct_tl_ba.c b/CORE/TL/src/wlan_qct_tl_ba.c
index f65ed03..db290d4 100644
--- a/CORE/TL/src/wlan_qct_tl_ba.c
+++ b/CORE/TL/src/wlan_qct_tl_ba.c
@@ -844,6 +844,8 @@
v_U16_t packetLength;
static v_U32_t numAMSDUFrames;
vos_pkt_t* vosDataBuff;
+ uint8_t llc_hdr[6] = {0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00};
+
/*- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -*/
/*------------------------------------------------------------------------
Sanity check
@@ -922,6 +924,7 @@
pClientSTA->ucMPDUHeaderLen = ucMPDUHLen;
vos_mem_copy(pClientSTA->aucMPDUHeader, MPDUHeaderAMSDUHeader, ucMPDUHLen);
/* AMSDU header stored to handle garbage data within next frame */
+ pClientSTA->drop_amsdu = false;
}
else
{
@@ -959,6 +962,25 @@
return VOS_STATUS_SUCCESS; /*Not a transport error*/
}
+ if (pClientSTA->drop_amsdu) {
+ vos_pkt_return_packet(vosDataBuff);
+ *ppVosDataBuff = NULL;
+ return VOS_STATUS_SUCCESS;
+ }
+
+ /**
+ * Set drop_amsdu flag and drop AMSDU subframe if AMSDU subframe DA
+ * is equal to LLC header
+ */
+ if (vos_mem_compare2(MPDUHeaderAMSDUHeader + ucMPDUHLen, llc_hdr, 6) == 0) {
+ pClientSTA->drop_amsdu = true;
+ vos_pkt_return_packet(vosDataBuff);
+ *ppVosDataBuff = NULL;
+ VOS_TRACE(VOS_MODULE_ID_TL, VOS_TRACE_LEVEL_ERROR,
+ "WLAN TL:Invalid AMSDU frame - dropping");
+ return VOS_STATUS_SUCCESS;
+ }
+
/* Find Padding and remove */
vos_mem_copy(&subFrameLength, MPDUHeaderAMSDUHeader + ucMPDUHLen + WLANTL_AMSDU_SUBFRAME_LEN_OFFSET, sizeof(v_U16_t));
subFrameLength = vos_be16_to_cpu(subFrameLength);
diff --git a/CORE/TL/src/wlan_qct_tli.h b/CORE/TL/src/wlan_qct_tli.h
index 868e745..e97e38c 100644
--- a/CORE/TL/src/wlan_qct_tli.h
+++ b/CORE/TL/src/wlan_qct_tli.h
@@ -603,6 +603,9 @@
/* Pointer to the root of the chain */
vos_pkt_t* vosAMSDUChain;
+ /* Drop any invalid amsdu */
+ bool drop_amsdu;
+
/* Used for saving/restoring frame header for 802.3/11 AMSDU sub-frames */
v_U8_t aucMPDUHeader[WLANTL_MPDU_HEADER_LEN];