qcacmn: Add length check in beacon IE parsing function (0d237f0e) · Commits · e / devices / android_kernel_fairphone_FP4

umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h

+11 −0

Original line number	Diff line number	Diff line
		@@ -136,6 +136,17 @@
		#define WLAN_RM_CAPABILITY_IE_MAX_LEN 5
		#define WLAN_RNR_IE_MIN_LEN 5

		/* Wide band channel switch IE length */
		#define WLAN_WIDE_BW_CHAN_SWITCH_IE_LEN 3

		/* Number of max TX power elements supported plus size of Transmit Power
		* Information element.
		*/
		#define WLAN_TPE_IE_MAX_LEN 9

		/* Max channel switch time IE length */
		#define WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN 4

		/* HT capability flags */
		#define WLAN_HTCAP_C_ADVCODING 0x0001
		#define WLAN_HTCAP_C_CHWIDTH40 0x0002

+8 −0

Original line number	Diff line number	Diff line
		@@ -584,12 +584,18 @@ util_scan_parse_chan_switch_wrapper_ie(struct scan_cache_entry *scan_params,
		}
		switch (sub_ie->ie_id) {
		case WLAN_ELEMID_COUNTRY:
		if (sub_ie->ie_len < WLAN_COUNTRY_IE_MIN_LEN)
		return QDF_STATUS_E_INVAL;
		scan_params->ie_list.country = (uint8_t *)sub_ie;
		break;
		case WLAN_ELEMID_WIDE_BAND_CHAN_SWITCH:
		if (sub_ie->ie_len != WLAN_WIDE_BW_CHAN_SWITCH_IE_LEN)
		return QDF_STATUS_E_INVAL;
		scan_params->ie_list.widebw = (uint8_t *)sub_ie;
		break;
		case WLAN_ELEMID_VHT_TX_PWR_ENVLP:
		if (sub_ie->ie_len > WLAN_TPE_IE_MAX_LEN)
		return QDF_STATUS_E_INVAL;
		scan_params->ie_list.txpwrenvlp = (uint8_t *)sub_ie;
		break;
		}
		@@ -739,6 +745,8 @@ util_scan_parse_extn_ie(struct scan_cache_entry *scan_params,

		switch (extn_ie->ie_extn_id) {
		case WLAN_EXTN_ELEMID_MAX_CHAN_SWITCH_TIME:
		if (extn_ie->ie_len != WLAN_MAX_CHAN_SWITCH_TIME_IE_LEN)
		return QDF_STATUS_E_INVAL;
		scan_params->ie_list.mcst = (uint8_t *)ie;
		break;
		case WLAN_EXTN_ELEMID_SRP: