wlan: Add Null check before dereference of pointer
Add check for NULL for pointer before dereferencing them.
Also add check to validate length of buffer.
Change-Id: I4a5a45927877e9f899c762418b549894510eb7df
CRs-Fixed: 2006479
diff --git a/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c b/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c
index 1393690..98cdc5c 100644
--- a/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c
+++ b/CORE/MAC/src/pe/lim/limProcessMlmRspMessages.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -1068,8 +1068,15 @@
}
sirStoreU16N((tANI_U8 *) &pSirSmeReassocInd->messageType,
eWNI_SME_REASSOC_IND);
- limReassocIndSerDes(pMac, (tpLimMlmReassocInd) pMsgBuf,
- (tANI_U8 *) &(pSirSmeReassocInd->length), psessionEntry);
+ if (limReassocIndSerDes(pMac, (tpLimMlmReassocInd) pMsgBuf,
+ (tANI_U8 *) &(pSirSmeReassocInd->length),
+ psessionEntry, sizeof(tSirSmeReassocInd))
+ != eSIR_SUCCESS)
+ {
+ limLog(pMac, LOGE,FL(" Received SME message with invalid rem length"));
+ vos_mem_free(pSirSmeReassocInd);
+ return;
+ }
// Required for indicating the frames to upper layer
pSirSmeReassocInd->assocReqLength = ((tpLimMlmReassocInd) pMsgBuf)->assocReqLength;
@@ -1141,8 +1148,14 @@
return;
}
limCopyU16((tANI_U8 *) &pSirSmeAuthInd->messageType, eWNI_SME_AUTH_IND);
- limAuthIndSerDes(pMac, (tpLimMlmAuthInd) pMsgBuf,
- (tANI_U8 *) &(pSirSmeAuthInd->length));
+ if (limAuthIndSerDes(pMac, (tpLimMlmAuthInd) pMsgBuf,
+ (tANI_U8 *) &(pSirSmeAuthInd->length),
+ sizeof(tSirSmeAuthInd)) != eSIR_SUCCESS)
+ {
+ limLog(pMac, LOGE,FL(" Received SME message with invalid rem length"));
+ vos_mem_free(pSirSmeAuthInd);
+ return;
+ }
msgQ.type = eWNI_SME_AUTH_IND;
msgQ.bodyptr = pSirSmeAuthInd;
msgQ.bodyval = 0;
diff --git a/CORE/MAC/src/pe/lim/limSerDesUtils.c b/CORE/MAC/src/pe/lim/limSerDesUtils.c
index 3fb524b..b429451 100644
--- a/CORE/MAC/src/pe/lim/limSerDesUtils.c
+++ b/CORE/MAC/src/pe/lim/limSerDesUtils.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2016 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -1640,9 +1640,13 @@
return eSIR_SUCCESS;
} /*** end limDisassocCnfSerDes() ***/
+static inline int CheckRemainingLength(tANI_U16 mLen, tANI_U16 len)
+{
+ if (mLen > (len - sizeof(tANI_U16)))
+ return eSIR_FAILURE;
-
-
+ return eSIR_SUCCESS;
+}
/**---------------------------------------------------------------
\fn limReassocIndSerDes
@@ -1654,11 +1658,15 @@
\param pReassocInd - Pointer to the received tLimMlmReassocInd
\param pBuf - Pointer to serialized buffer
\param psessionEntry - pointer to PE session entry
+\param len - size of tSirSmeReassocInd structure
\
-\return None
+\return tSirRietStatus Indicates whether message is successfully
+\ de-serialized (eSIR_SUCCESS) or
+\ not (eSIR_FAILURE)
------------------------------------------------------------------*/
-void
-limReassocIndSerDes(tpAniSirGlobal pMac, tpLimMlmReassocInd pReassocInd, tANI_U8 *pBuf, tpPESession psessionEntry)
+tSirRetStatus
+limReassocIndSerDes(tpAniSirGlobal pMac, tpLimMlmReassocInd pReassocInd,
+ tANI_U8 *pBuf, tpPESession psessionEntry, tANI_U16 len)
{
tANI_U8 *pLen = pBuf;
tANI_U16 mLen = 0;
@@ -1669,68 +1677,97 @@
mLen = sizeof(tANI_U32);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
+
pBuf += sizeof(tANI_U16);
*pBuf++ = psessionEntry->smeSessionId;
mLen += sizeof(tANI_U8);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
// Fill in peerMacAddr
vos_mem_copy( pBuf, pReassocInd->peerMacAddr, sizeof(tSirMacAddr));
pBuf += sizeof(tSirMacAddr);
mLen += sizeof(tSirMacAddr);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
// Fill in oldMacAddr
vos_mem_copy( pBuf, pReassocInd->currentApAddr, sizeof(tSirMacAddr));
pBuf += sizeof(tSirMacAddr);
mLen += sizeof(tSirMacAddr);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
// Fill in aid
limCopyU16(pBuf, pReassocInd->aid);
pBuf += sizeof(tANI_U16);
mLen += sizeof(tANI_U16);
-
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
+
// Fill in bssId
vos_mem_copy( pBuf, psessionEntry->bssId, sizeof(tSirMacAddr));
pBuf += sizeof(tSirMacAddr);
mLen += sizeof(tSirMacAddr);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
// Fill in staId
limCopyU16(pBuf, psessionEntry->staId);
pBuf += sizeof(tANI_U16);
mLen += sizeof(tANI_U16);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
// Fill in authType
limCopyU32(pBuf, pReassocInd->authType);
pBuf += sizeof(tAniAuthType);
mLen += sizeof(tAniAuthType);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
// Fill in ssId
vos_mem_copy( pBuf, (tANI_U8 *) &(pReassocInd->ssId),
pReassocInd->ssId.length + 1);
pBuf += 1 + pReassocInd->ssId.length;
mLen += pReassocInd->ssId.length + 1;
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
// Fill in rsnIE
limCopyU16(pBuf, pReassocInd->rsnIE.length);
pBuf += sizeof(tANI_U16);
mLen += sizeof(tANI_U16);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
+
vos_mem_copy( pBuf, (tANI_U8 *) &(pReassocInd->rsnIE.rsnIEdata),
pReassocInd->rsnIE.length);
pBuf += pReassocInd->rsnIE.length;
mLen += pReassocInd->rsnIE.length;
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
// Fill in addIE
limCopyU16(pBuf, pReassocInd->addIE.length);
pBuf += sizeof(tANI_U16);
mLen += sizeof(tANI_U16);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
vos_mem_copy( pBuf, (tANI_U8*) &(pReassocInd->addIE.addIEdata),
pReassocInd->addIE.length);
pBuf += pReassocInd->addIE.length;
mLen += pReassocInd->addIE.length;
-
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
limCopyU32(pBuf, pReassocInd->spectrumMgtIndicator);
pBuf += sizeof(tAniBool);
mLen += sizeof(tAniBool);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
if (pReassocInd->spectrumMgtIndicator == eSIR_TRUE)
{
@@ -1739,10 +1776,14 @@
*pBuf = pReassocInd->powerCap.maxTxPower;
pBuf++;
mLen += sizeof(tSirMacPowerCapInfo);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
*pBuf = pReassocInd->supportedChannels.numChnl;
pBuf++;
mLen++;
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
vos_mem_copy( pBuf,
(tANI_U8 *) &(pReassocInd->supportedChannels.channelList),
@@ -1750,16 +1791,23 @@
pBuf += pReassocInd->supportedChannels.numChnl;
mLen += pReassocInd->supportedChannels.numChnl;
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
+
}
limCopyU32(pBuf, pReassocInd->WmmStaInfoPresent);
pBuf += sizeof(tANI_U32);
mLen += sizeof(tANI_U32);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
// Fill in length of SME_REASSOC_IND message
limCopyU16(pLen, mLen);
PELOG1(limLog(pMac, LOG1, FL("Sending SME_REASSOC_IND length %d bytes:"), mLen);)
PELOG1(sirDumpBuf(pMac, SIR_LIM_MODULE_ID, LOG1, pTemp, mLen);)
+
+ return eSIR_SUCCESS;
} /*** end limReassocIndSerDes() ***/
@@ -1782,12 +1830,15 @@
*
* @param pAuthInd Pointer to tSirSmeAuthInd being sent
* @param pBuf Pointer to serialized buffer
+ * @param len size of tSirSmeAuthInd structure
*
- * @return None
+ * @return tSirRetStatus Indicates whether message is successfully
+ * de-serialized (eSIR_SUCCESS) or
+ * not (eSIR_FAILURE)
*/
-void
-limAuthIndSerDes(tpAniSirGlobal pMac, tpLimMlmAuthInd pAuthInd, tANI_U8 *pBuf)
+tSirRetStatus
+limAuthIndSerDes(tpAniSirGlobal pMac, tpLimMlmAuthInd pAuthInd, tANI_U8 *pBuf, tANI_U16 len)
{
tANI_U8 *pLen = pBuf;
tANI_U16 mLen = 0;
@@ -1797,27 +1848,39 @@
#endif
mLen = sizeof(tANI_U32);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
pBuf += sizeof(tANI_U16);
*pBuf++ = pAuthInd->sessionId;
mLen += sizeof(tANI_U8);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
// BTAMP TODO: Fill in bssId
vos_mem_set(pBuf, sizeof(tSirMacAddr), 0);
pBuf += sizeof(tSirMacAddr);
mLen += sizeof(tSirMacAddr);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
vos_mem_copy( pBuf, pAuthInd->peerMacAddr, sizeof(tSirMacAddr));
pBuf += sizeof(tSirMacAddr);
mLen += sizeof(tSirMacAddr);
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
limCopyU32(pBuf, pAuthInd->authType);
pBuf += sizeof(tAniAuthType);
mLen += sizeof(tAniAuthType);
-
+ if (CheckRemainingLength(mLen, len) == eSIR_FAILURE)
+ return eSIR_FAILURE;
+
limCopyU16(pLen, mLen);
PELOG1(limLog(pMac, LOG1, FL("Sending SME_AUTH_IND length %d bytes:"), mLen);)
PELOG1(sirDumpBuf(pMac, SIR_LIM_MODULE_ID, LOG1, pTemp, mLen);)
+
+ return eSIR_SUCCESS;
} /*** end limAuthIndSerDes() ***/
diff --git a/CORE/MAC/src/pe/lim/limSerDesUtils.h b/CORE/MAC/src/pe/lim/limSerDesUtils.h
index a43bc13..29aff5a 100644
--- a/CORE/MAC/src/pe/lim/limSerDesUtils.h
+++ b/CORE/MAC/src/pe/lim/limSerDesUtils.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2013 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2017 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -50,13 +50,15 @@
tSirRetStatus limStopBssReqSerDes(tpAniSirGlobal, tpSirSmeStopBssReq, tANI_U8 *);
tSirRetStatus limJoinReqSerDes(tpAniSirGlobal, tpSirSmeJoinReq, tANI_U8 *);
void limAssocIndSerDes(tpAniSirGlobal, tpLimMlmAssocInd, tANI_U8 *, tpPESession);
-void limReassocIndSerDes(tpAniSirGlobal, tpLimMlmReassocInd, tANI_U8 *, tpPESession psessionEntry);
+tSirRetStatus limReassocIndSerDes(tpAniSirGlobal, tpLimMlmReassocInd, tANI_U8 *,
+ tpPESession psessionEntry, tANI_U16 len);
tSirRetStatus limAssocCnfSerDes(tpAniSirGlobal, tpSirSmeAssocCnf, tANI_U8 *);
tSirRetStatus limDisassocCnfSerDes(tpAniSirGlobal, tpSirSmeDisassocCnf, tANI_U8 *);
tSirRetStatus limSetContextReqSerDes(tpAniSirGlobal, tpSirSmeSetContextReq, tANI_U8 *);
tSirRetStatus limDisassocReqSerDes(tpAniSirGlobal, tSirSmeDisassocReq *, tANI_U8 *);
tSirRetStatus limDeauthReqSerDes(tpAniSirGlobal, tSirSmeDeauthReq *, tANI_U8 *);
-void limAuthIndSerDes(tpAniSirGlobal, tpLimMlmAuthInd, tANI_U8 *);
+tSirRetStatus limAuthIndSerDes(tpAniSirGlobal, tpLimMlmAuthInd, tANI_U8 *,
+ tANI_U16 len);
void limStatSerDes(tpAniSirGlobal, tpAniStaStatStruct, tANI_U8 *);
void limGetSessionInfo(tpAniSirGlobal pMac, tANI_U8 *, tANI_U8 *, tANI_U16 *);
diff --git a/CORE/SME/src/csr/csrApiRoam.c b/CORE/SME/src/csr/csrApiRoam.c
index d9a472b..4c6aa21 100644
--- a/CORE/SME/src/csr/csrApiRoam.c
+++ b/CORE/SME/src/csr/csrApiRoam.c
@@ -6357,19 +6357,23 @@
if( CSR_IS_SESSION_VALID(pMac, sessionId) )
{
pSession = CSR_GET_SESSION(pMac, sessionId);
-
- if ( CSR_IS_INFRA_AP(&pSession->connectedProfile) )
+ if (pSession)
{
- roamInfo.u.pConnectedProfile = &pSession->connectedProfile;
- vos_mem_copy(roamInfo.peerMac,
- pCommand->u.roamCmd.peerMac,
- sizeof(tSirMacAddr));
- roamInfo.reasonCode = eCSR_ROAM_RESULT_FORCED;
- roamInfo.statusCode = eSIR_SME_SUCCESS;
- status = csrRoamCallCallback(pMac, sessionId,
- &roamInfo, pCommand->u.roamCmd.roamId,
- eCSR_ROAM_LOSTLINK, eCSR_ROAM_RESULT_FORCED);
- }
+ if ( CSR_IS_INFRA_AP(&pSession->connectedProfile) )
+ {
+ roamInfo.u.pConnectedProfile =
+ &pSession->connectedProfile;
+ vos_mem_copy(roamInfo.peerMac,
+ pCommand->u.roamCmd.peerMac,
+ sizeof(tSirMacAddr));
+ roamInfo.reasonCode = eCSR_ROAM_RESULT_FORCED;
+ roamInfo.statusCode = eSIR_SME_SUCCESS;
+ status = csrRoamCallCallback(pMac, sessionId,
+ &roamInfo, pCommand->u.roamCmd.roamId,
+ eCSR_ROAM_LOSTLINK,
+ eCSR_ROAM_RESULT_FORCED);
+ }
+ }
}
break;
case eCsrLostLink1:
@@ -8175,6 +8179,12 @@
if(pCommand->u.roamCmd.pRoamBssEntry)
{
pScanResult = GET_BASE_ADDR(pCommand->u.roamCmd.pRoamBssEntry, tCsrScanResult, Link);
+ if (!pScanResult)
+ {
+ smsLog(pMac, LOGE,
+ FL("Failed to get base address for pScanResult"));
+ return;
+ }
pBssDesc = &pScanResult->Result.BssDescriptor;
}
if ( csrIsBssTypeIBSS( pCommand->u.roamCmd.roamProfile.BSSType ) ||
@@ -8202,6 +8212,12 @@
}
// If we are roaming TO an Infrastructure BSS...
VOS_ASSERT(pScanResult != NULL);
+ if( !pScanResult->Result.pvIes )
+ {
+ smsLog(pMac, LOGE, FL(" pvIes is NULL"));
+ return;
+ }
+
if ( csrIsInfraBssDesc( pBssDesc ) )
{
tDot11fBeaconIEs *pIesLocal = (tDot11fBeaconIEs *)pScanResult->Result.pvIes;
@@ -11123,35 +11139,35 @@
macTraceGetcsrRoamSubState(
pMac->roam.curSubState[pInfo->sessionId]));
- if( CSR_IS_WAIT_FOR_KEY( pMac, pInfo->sessionId ) )
+ if (pSession)
{
+ if( CSR_IS_WAIT_FOR_KEY( pMac, pInfo->sessionId ) )
+ {
#ifdef FEATURE_WLAN_LFR
- if (csrNeighborRoamIsHandoffInProgress(pMac))
- {
- /*
- * Enable heartbeat timer when hand-off is in progress
- * and Key Wait timer expired.
- */
- smsLog(pMac, LOG2, "Enabling HB timer after WaitKey expiry"
- " (nHBCount=%d)",
- pMac->roam.configParam.HeartbeatThresh24);
- ccmCfgSetInt(pMac, WNI_CFG_HEART_BEAT_THRESHOLD,
- pMac->roam.configParam.HeartbeatThresh24,
- NULL, eANI_BOOLEAN_FALSE);
- }
+ if (csrNeighborRoamIsHandoffInProgress(pMac))
+ {
+ /*
+ * Enable heartbeat timer when hand-off is in progress
+ * and Key Wait timer expired.
+ */
+ smsLog(pMac, LOG2, "Enabling HB timer after WaitKey expiry"
+ " (nHBCount=%d)",
+ pMac->roam.configParam.HeartbeatThresh24);
+ ccmCfgSetInt(pMac, WNI_CFG_HEART_BEAT_THRESHOLD,
+ pMac->roam.configParam.HeartbeatThresh24,
+ NULL, eANI_BOOLEAN_FALSE);
+ }
#endif
- smsLog(pMac, LOGE, " SME pre-auth state timeout. ");
+ smsLog(pMac, LOGE, " SME pre-auth state timeout. ");
- //Change the substate so command queue is unblocked.
- if (CSR_ROAM_SESSION_MAX > pInfo->sessionId)
- {
- csrRoamSubstateChange(pMac, eCSR_ROAM_SUBSTATE_NONE,
- pInfo->sessionId);
- }
+ //Change the substate so command queue is unblocked.
+ if (CSR_ROAM_SESSION_MAX > pInfo->sessionId)
+ {
+ csrRoamSubstateChange(pMac, eCSR_ROAM_SUBSTATE_NONE,
+ pInfo->sessionId);
+ }
- if (pSession)
- {
- if( csrIsConnStateConnectedInfra(pMac, pInfo->sessionId) )
+ if( csrIsConnStateConnectedInfra(pMac, pInfo->sessionId) )
{
csrRoamLinkUp(pMac, pSession->connectedProfile.bssid);
smeProcessPendingQueue(pMac);
diff --git a/CORE/WDI/CP/src/wlan_qct_wdi.c b/CORE/WDI/CP/src/wlan_qct_wdi.c
index 5516df0..04a6add 100644
--- a/CORE/WDI/CP/src/wlan_qct_wdi.c
+++ b/CORE/WDI/CP/src/wlan_qct_wdi.c
@@ -28251,6 +28251,8 @@
/*Notify UMAC*/
pWDICtx->wdiLowLevelIndCB( &wdiInd, pWDICtx->pIndUserData );
}
+ else
+ vos_mem_free( wdiInd.wdiIndicationData.wdiPrefNetworkFoundInd.pData);
return WDI_STATUS_SUCCESS;
}