qcacld-3.0: Fix improper QCN IE length filled
While filling the QCN IE the IE length filled is 11 while actual
length is 8 and thus this lead to improper IE length in scan
additional ie while copying the default_scan_ies.
So fix the QCN IE length and add check for improper IE length check
while copying IE in scan additional ie.
Change-Id: I372af8c206d8f7ce0e93bc9c0fb14e222c6eb87e
CRs-Fixed: 2522208
diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
index 301c03e..54c1a53 100644
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -6248,7 +6248,8 @@
scan_info->default_scan_ies,
&scan_info->default_scan_ies_len);
- hdd_debug("Saved default scan IE:");
+ hdd_debug("Saved default scan IE:len %d",
+ scan_info->default_scan_ies_len);
qdf_trace_hex_dump(QDF_MODULE_ID_HDD, QDF_TRACE_LEVEL_DEBUG,
(uint8_t *) scan_info->default_scan_ies,
scan_info->default_scan_ies_len);
diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c
index a23a2a7..849ee48 100644
--- a/core/hdd/src/wlan_hdd_main.c
+++ b/core/hdd/src/wlan_hdd_main.c
@@ -6098,6 +6098,7 @@
if (adapter->scan_info.default_scan_ies) {
qdf_mem_free(adapter->scan_info.default_scan_ies);
adapter->scan_info.default_scan_ies = NULL;
+ adapter->scan_info.default_scan_ies_len = 0;
}
hdd_exit();
diff --git a/core/hdd/src/wlan_hdd_scan.c b/core/hdd/src/wlan_hdd_scan.c
index 12a05e9..1ac572c 100644
--- a/core/hdd/src/wlan_hdd_scan.c
+++ b/core/hdd/src/wlan_hdd_scan.c
@@ -353,6 +353,12 @@
elem_len = *temp_ie++;
rem_len -= 2;
+ if (elem_len > rem_len) {
+ hdd_err("Invalid element len %d for elem %d", elem_len,
+ elem_id);
+ return 0;
+ }
+
switch (elem_id) {
case DOT11F_EID_EXTCAP:
if (!wlan_get_ie_ptr_from_eid(DOT11F_EID_EXTCAP,
diff --git a/core/sme/src/common/sme_api.c b/core/sme/src/common/sme_api.c
index 7505ea0..d9d481b 100644
--- a/core/sme/src/common/sme_api.c
+++ b/core/sme/src/common/sme_api.c
@@ -14848,7 +14848,7 @@
uint16_t *ie_len)
{
struct mac_context *mac_ctx = MAC_CONTEXT(mac_handle);
- uint8_t qcn_ie[] = {WLAN_ELEMID_VENDOR, DOT11F_IE_QCN_IE_MAX_LEN,
+ uint8_t qcn_ie[] = {WLAN_ELEMID_VENDOR, 8,
0x8C, 0xFD, 0xF0, 0x1, QCN_IE_VERSION_SUBATTR_ID,
QCN_IE_VERSION_SUBATTR_DATA_LEN,
QCN_IE_VERSION_SUPPORTED,
diff --git a/core/sme/src/csr/csr_api_roam.c b/core/sme/src/csr/csr_api_roam.c
index 3c85d9d..2639300 100644
--- a/core/sme/src/csr/csr_api_roam.c
+++ b/core/sme/src/csr/csr_api_roam.c
@@ -18825,11 +18825,9 @@
uint8_t supp_chan_ie[DOT11F_IE_SUPPCHANNELS_MAX_LEN], supp_chan_ie_len;
#ifdef FEATURE_WLAN_ESE
- uint8_t ese_ie[DOT11F_IE_ESEVERSION_MAX_LEN]
- = { 0x0, 0x40, 0x96, 0x3, ESE_VERSION_SUPPORTED};
+ uint8_t ese_ie[] = { 0x0, 0x40, 0x96, 0x3, ESE_VERSION_SUPPORTED};
#endif
- uint8_t qcn_ie[DOT11F_IE_QCN_IE_MAX_LEN]
- = {0x8C, 0xFD, 0xF0, 0x1, QCN_IE_VERSION_SUBATTR_ID,
+ uint8_t qcn_ie[] = {0x8C, 0xFD, 0xF0, 0x1, QCN_IE_VERSION_SUBATTR_ID,
QCN_IE_VERSION_SUBATTR_DATA_LEN,
QCN_IE_VERSION_SUPPORTED,
QCN_IE_SUBVERSION_SUPPORTED};
@@ -18866,8 +18864,7 @@
/* Append ESE version IE if isEseIniFeatureEnabled INI is enabled */
if (mac_ctx->mlme_cfg->lfr.ese_enabled)
csr_append_assoc_ies(mac_ctx, req_buf, WLAN_ELEMID_VENDOR,
- DOT11F_IE_ESEVERSION_MAX_LEN,
- ese_ie);
+ sizeof(ese_ie), ese_ie);
#endif
if (mac_ctx->rrm.rrmPEContext.rrmEnable) {
@@ -18887,8 +18884,7 @@
/* Append QCN IE if g_support_qcn_ie INI is enabled */
if (mac_ctx->mlme_cfg->sta.qcn_ie_support)
csr_append_assoc_ies(mac_ctx, req_buf, WLAN_ELEMID_VENDOR,
- DOT11F_IE_QCN_IE_MAX_LEN,
- qcn_ie);
+ sizeof(qcn_ie), qcn_ie);
}
/**