Merge tag 'LA.UM.9.6.2.c25-02800-89xx.0' into int/11/fp3
"LA.UM.9.6.2.c25-02800-89xx.0"
* tag 'LA.UM.9.6.2.c25-02800-89xx.0':
qcacld-2.0: Fix array OOB for duplicate rate
wlan: Avoid OOB read in dot11f_unpack_assoc_response
wlan: Fix possible OOB in UnpackTlvCore
wlan: Do not make hdd context as NULL in hdd adapter
wlan: Fix missing sta_id hash attach in ap mode
wlan: Fix possible OOB in unpack_tlv_core
wlan: Drop invalid EAPOL packets in SAP mode
wlan: Drop invalid AMSDU subframe
prima: Send assoc reject upon failing to post ASSOC_IND
Change-Id: I52faf6e6134e5f50b84aa8ce7c451da4a0160c9a
diff --git a/CORE/BAP/src/btampHCI.c b/CORE/BAP/src/btampHCI.c
index 157b8d4..b6cd1a3 100644
--- a/CORE/BAP/src/btampHCI.c
+++ b/CORE/BAP/src/btampHCI.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2013 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2013, 2021 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -2873,11 +2873,37 @@
else {
id = *pBufRemaining;
}
+ if ( sType > nBufRemaining )
+ {
+ FRAMES_LOG0( pCtx, FRLOGE, FRFL( "This frame reports "
+ "fewer sType byte(s) remaining.\n" ) );
+ status |= BTAMP_INCOMPLETE_TLV;
+ FRAMES_DBG_BREAK();
+ goto MandatoryCheck;
+ }
pBufRemaining += sType;
nBufRemaining -= sType;
// & length,
- framesntohs(pCtx, &len, pBufRemaining, 1);
- pBufRemaining += sLen;
+ if ( 2 > nBufRemaining )
+ {
+ FRAMES_LOG0( pCtx, FRLOGE, FRFL( "This frame reports "
+ "fewer two byte(s) remaining.\n" ) );
+ status |= BTAMP_INCOMPLETE_TLV;
+ FRAMES_DBG_BREAK();
+ goto MandatoryCheck;
+ }
+
+ framesntohs(pCtx, &len, pBufRemaining, 1);
+
+ if ( sLen > nBufRemaining )
+ {
+ FRAMES_LOG0( pCtx, FRLOGE, FRFL( "This frame reports "
+ "fewer sLen byte(s) remaining.\n" ) );
+ status |= BTAMP_INCOMPLETE_TLV;
+ FRAMES_DBG_BREAK();
+ goto MandatoryCheck;
+ }
+ pBufRemaining += sLen;
nBufRemaining -= sLen;
if ( pTlv && pTlv->pec )
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index 9b18837..ca1e7df 100644
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -8634,7 +8634,6 @@
/* after uninit our adapter structure will no longer be valid */
pAdapter->dev = NULL;
pAdapter->magic = 0;
- pAdapter->pHddCtx = NULL;
} while (0);
EXIT();
diff --git a/CORE/MAC/src/include/dot11f.h b/CORE/MAC/src/include/dot11f.h
index 81d072c..7c5390b 100644
--- a/CORE/MAC/src/include/dot11f.h
+++ b/CORE/MAC/src/include/dot11f.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -32,7 +32,7 @@
* \brief Structures, function prototypes & definitions
* for working with 802.11 Frames
* This file was automatically generated by 'framesc'
- * Mon Jul 22 17:48:28 2019 from the following file(s):
+ * Tue Oct 5 09:07:17 2021 from the following file(s):
*
* dot11f.frms
*
diff --git a/CORE/MAC/src/pe/lim/limAssocUtils.c b/CORE/MAC/src/pe/lim/limAssocUtils.c
index 6fcc024..02cf86f 100644
--- a/CORE/MAC/src/pe/lim/limAssocUtils.c
+++ b/CORE/MAC/src/pe/lim/limAssocUtils.c
@@ -1950,8 +1950,9 @@
{
tSirMacRateSet tempRateSet;
tSirMacRateSet tempRateSet2;
- tANI_U32 i,j,val,min,isArate;
- isArate = 0;
+ tANI_U32 i,j,val,min;
+ tANI_U8 aRateIndex = 0;
+ tANI_U8 bRateIndex = 0;
/* copy operational rate set from psessionEntry */
if ( psessionEntry->rateSet.numRates <= SIR_MAC_RATESET_EID_MAX )
@@ -1992,7 +1993,6 @@
goto error;
}
-
//copy all rates in tempRateSet, there are 12 rates max
for (i = 0;i < tempRateSet2.numRates; i++)
tempRateSet.rate[i + tempRateSet.numRates] = tempRateSet2.rate[i];
@@ -2001,53 +2001,55 @@
* Sort rates in tempRateSet (they are likely to be already sorted)
* put the result in pSupportedRates
*/
- {
- tANI_U8 aRateIndex = 0;
- tANI_U8 bRateIndex = 0;
- vos_mem_set((tANI_U8 *) pRates, sizeof(tSirSupportedRates), 0);
- for(i = 0;i < tempRateSet.numRates; i++)
- {
- min = 0;
- val = 0xff;
- isArate = 0;
- for(j = 0; (j < tempRateSet.numRates) && (j < SIR_MAC_RATESET_EID_MAX); j++)
- {
- if ((tANI_U32) (tempRateSet.rate[j] & 0x7f) < val)
- {
- val = tempRateSet.rate[j] & 0x7f;
- min = j;
- }
+ vos_mem_set((tANI_U8 *) pRates, sizeof(tSirSupportedRates), 0);
+ for (i = 0; i < tempRateSet.numRates; i++) {
+ min = 0;
+ val = 0xff;
+ for (j = 0; (j < tempRateSet.numRates) &&
+ (j < SIR_MAC_RATESET_EID_MAX); j++) {
+ if ((tANI_U32)(tempRateSet.rate[j] & 0x7f) < val) {
+ val = tempRateSet.rate[j] & 0x7f;
+ min = j;
}
- if (sirIsArate(tempRateSet.rate[min] & 0x7f))
- isArate = 1;
- /*
- * HAL needs to know whether the rate is basic rate or not, as it needs to
- * update the response rate table accordingly. e.g. if one of the 11a rates is
- * basic rate, then that rate can be used for sending control frames.
- * HAL updates the response rate table whenever basic rate set is changed.
- */
- if (basicOnly)
- {
- if (tempRateSet.rate[min] & 0x80)
- {
- if (isArate)
- pRates->llaRates[aRateIndex++] = tempRateSet.rate[min];
- else
- pRates->llbRates[bRateIndex++] = tempRateSet.rate[min];
- }
- }
- else
- {
- if (isArate)
- pRates->llaRates[aRateIndex++] = tempRateSet.rate[min];
- else
- pRates->llbRates[bRateIndex++] = tempRateSet.rate[min];
- }
- tempRateSet.rate[min] = 0xff;
}
+ /*
+ * HAL needs to know whether the rate is basic rate or not,
+ * as it needs to update the response rate table accordingly.
+ * e.g. if one of the 11a rates is basic rate, then that rate
+ * can be used for sending control frames. HAL updates the
+ * response rate table whenever basic rate set is changed.
+ */
+ if (basicOnly && !(tempRateSet.rate[min] & 0x80)) {
+ limLog(pMac, LOG2, FL("Invalid basic rate"));
+ } else if (sirIsArate(tempRateSet.rate[min] & 0x7f)) {
+ if (aRateIndex >= SIR_NUM_11A_RATES) {
+ limLog(pMac, LOG2, FL("OOB, aRateIndex: %d"), aRateIndex);
+ } else if (aRateIndex >= 1 && (tempRateSet.rate[min] ==
+ pRates->llaRates[aRateIndex - 1])) {
+ limLog(pMac, LOG2, FL("Duplicate 11a rate: %d"),
+ tempRateSet.rate[min]);
+ } else {
+ pRates->llaRates[aRateIndex++] =
+ tempRateSet.rate[min];
+ }
+ } else if (sirIsBrate(tempRateSet.rate[min] & 0x7f)) {
+ if (bRateIndex >= SIR_NUM_11B_RATES) {
+ limLog(pMac, LOG2, FL("OOB, bRateIndex: %d"), bRateIndex);
+ } else if (bRateIndex >= 1 && (tempRateSet.rate[min] ==
+ pRates->llbRates[bRateIndex - 1])) {
+ limLog(pMac, LOG2, FL("Duplicate 11b rate: %d"),
+ tempRateSet.rate[min]);
+ } else {
+ pRates->llbRates[bRateIndex++] =
+ tempRateSet.rate[min];
+ }
+ } else {
+ limLog(pMac, LOG2, FL("%d is neither 11a nor 11b rate"),
+ tempRateSet.rate[min]);
+ }
+ tempRateSet.rate[min] = 0xff;
}
-
if (IS_DOT11_MODE_HT(psessionEntry->dot11mode))
{
val = SIZE_OF_SUPPORTED_MCS_SET;
diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c
index d22f1f8..0f66df0 100644
--- a/CORE/SYS/legacy/src/utils/src/dot11f.c
+++ b/CORE/SYS/legacy/src/utils/src/dot11f.c
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2012-2019 The Linux Foundation. All rights reserved.
+ * Copyright (c) 2012-2019, 2021 The Linux Foundation. All rights reserved.
*
* Previously licensed under the ISC license by Qualcomm Atheros, Inc.
*
@@ -30,7 +30,7 @@
* \brief Structures, functions & definitions for
* working with 802.11 Frames
* This file was automatically generated by 'framesc'
- * Mon Jul 22 17:48:28 2019 from the following file(s):
+ * Tue Oct 5 09:07:17 2021 from the following file(s):
*
* dot11f.frms
*
@@ -494,7 +494,7 @@
len += *(pBufRemaining+1);
pBufRemaining += len + 2;
len += 2;
- while ( len < nBuf )
+ while ( len + 1 < nBuf )
{
if( NULL == (pIe = FindIEDefn(pCtx, pBufRemaining, nBuf - len, IEs)))
break;
@@ -23368,7 +23368,6 @@
// & length,
if ( pTlv->sLen == 2)
{
- framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
if ( 2 > nBufRemaining )
{
FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
@@ -23377,6 +23376,7 @@
FRAMES_DBG_BREAK();
goto MandatoryCheck;
}
+ framesntohs(pCtx, &len, pBufRemaining, pTlv->fMsb);
pBufRemaining += 2;
nBufRemaining -= 2;
}else
@@ -23388,9 +23388,16 @@
}
else
{
+ if ( TLVs[0].sType > nBufRemaining )
+ {
+ FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
+ "fewer TLVs[0].sType byte(s) remaining.\n") );
+ status |= DOT11F_INCOMPLETE_TLV;
+ FRAMES_DBG_BREAK();
+ goto MandatoryCheck;
+ }
pBufRemaining += TLVs[0].sType;
nBufRemaining -= TLVs[0].sType;
- framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
if ( 2 > nBufRemaining )
{
FRAMES_LOG0( pCtx, FRLOGE, FRFL("This frame reports "
@@ -23399,6 +23406,7 @@
FRAMES_DBG_BREAK();
goto MandatoryCheck;
}
+ framesntohs(pCtx, &len, pBufRemaining, (TLVs[0].sType == 2));
pBufRemaining += 2;
nBufRemaining -= 2;
}