Merge "qcacld-2.0: Check for minimum frameLen for action frames" into wlan-driver.lnx.1.0.r31-rel

commit: 51927eb23b01c7b5555ae4b62fa915a01c2a4c60 [log] [tgz]
author: Linux Build Service Account <lnxbuild@localhost> Tue Mar 17 23:18:02 2020 -0700
committer: Gerrit - the friendly Code Review server <code-review@localhost> Tue Mar 17 23:18:04 2020 -0700
tree: 45aef3438ceeba1918f367aa3860301ee3902077
parent: a1a9aaa7006bf80363b892611a7c78e6320830b5 [diff]
parent: 3b58fb22d2ea9da6f1704030f1d87ce4cf36d2b4 [diff]
diff --git a/CORE/HDD/src/wlan_hdd_assoc.c b/CORE/HDD/src/wlan_hdd_assoc.c
index 5258b34..3e6418f 100644
--- a/CORE/HDD/src/wlan_hdd_assoc.c
+++ b/CORE/HDD/src/wlan_hdd_assoc.c

@@ -951,10 +951,10 @@
     unsigned int len = 0;
     u8 *pFTAssocRsp = NULL;
 
-    if (pCsrRoamInfo->nAssocRspLength == 0)
+    if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET)
     {
         hddLog(LOGE,
-            "%s: pCsrRoamInfo->nAssocRspLength=%d",
+            "%s: Invalid assoc rsp length %d",
             __func__, (int)pCsrRoamInfo->nAssocRspLength);
         return;
     }
@@ -973,6 +973,16 @@
         (unsigned int)pFTAssocRsp[0],
         (unsigned int)pFTAssocRsp[1]);
 
+    /* Send the Assoc Resp, the supplicant needs this for initial Auth. */
+    len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
+    if (len > IW_GENERIC_IE_MAX) {
+        hddLog(LOGE,
+             "%s: Invalid assoc rsp length %d",
+             __func__, (int)pCsrRoamInfo->nAssocRspLength);
+        return;
+    }
+    wrqu.data.length = len;
+
     // We need to send the IEs to the supplicant.
     buff = kmalloc(IW_GENERIC_IE_MAX, GFP_ATOMIC);
     if (buff == NULL)
@@ -981,9 +991,6 @@
         return;
     }
 
-    // Send the Assoc Resp, the supplicant needs this for initial Auth.
-    len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
-    wrqu.data.length = len;
     memset(buff, 0, IW_GENERIC_IE_MAX);
     memcpy(buff, pFTAssocRsp, len);
     wireless_send_event(dev, IWEVASSOCRESPIE, &wrqu, buff);
@@ -2230,8 +2237,10 @@
         goto done;
     }
 
-    if (pCsrRoamInfo->nAssocRspLength == 0) {
-        hddLog(LOGE, "%s: Invalid assoc response length", __func__);
+    if (pCsrRoamInfo->nAssocRspLength < FT_ASSOC_RSP_IES_OFFSET) {
+
+        hddLog(LOGE, "%s: Invalid assoc response length %d",
+               __func__, pCsrRoamInfo->nAssocRspLength);
         goto done;
     }
 
@@ -2248,6 +2257,11 @@
 
     // Send the Assoc Resp, the supplicant needs this for initial Auth.
     len = pCsrRoamInfo->nAssocRspLength - FT_ASSOC_RSP_IES_OFFSET;
+    if (len > IW_GENERIC_IE_MAX) {
+        hddLog(LOGE, "%s: Invalid assoc response length %d",
+                __func__, pCsrRoamInfo->nAssocRspLength);
+         goto done;
+    }
     rspRsnLength = len;
     memcpy(rspRsnIe, pFTAssocRsp, len);
     memset(rspRsnIe + len, 0, IW_GENERIC_IE_MAX - len);
commit	51927eb23b01c7b5555ae4b62fa915a01c2a4c60	[log] [tgz]
author	Linux Build Service Account <lnxbuild@localhost>	Tue Mar 17 23:18:02 2020 -0700
committer	Gerrit - the friendly Code Review server <code-review@localhost>	Tue Mar 17 23:18:04 2020 -0700
tree	45aef3438ceeba1918f367aa3860301ee3902077
parent	a1a9aaa7006bf80363b892611a7c78e6320830b5 [diff]
parent	3b58fb22d2ea9da6f1704030f1d87ce4cf36d2b4 [diff]