Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8079aa43 authored by Pragaspathi Thilagaraj's avatar Pragaspathi Thilagaraj Committed by Madan Koyyalamudi
Browse files

qcacld-3.0: Fix invalid bss descriptor length check 

bss_descriptor->length is calculated as:
bss_desc->length = ie_length + sizeof(*bss_desc) -
                   sizeof(bss_desc->len)

In csr_parse_bss_description_ies(), the bss_desc length is
validated as below to return failure if ie_length is 0:
=> (bss_desc->length - sizeof(bss_desc->len)) <= ieFields_offset
Since the bss_desc->length already has the sizeof(bss_desc->len)
subtracted while it was populated.
So this could return failure, if the SSID IE length is less than
or equal to 4.

To avoid this, change the failure condition as below:
(bss_desc->length <= (ieFields_offset - sizeof(bss_desc->len))

Change-Id: Ib0af8e967c26ff0ca9a3b8c44107be4e80378e01
CRs-Fixed: 3022657
parent 86dc23d5

core/sme/src/csr/csr_util.c

+6 −4
Original line number Diff line number Diff line 
/*

 * Copyright (c) 2011-2020 The Linux Foundation. All rights reserved.

 * Copyright (c) 2011-2021 The Linux Foundation. All rights reserved.

 *

 * Permission to use, copy, modify, and/or distribute this software for

 * any purpose with or without fee is hereby granted, provided that the
@@ -1389,9 +1389,11 @@ QDF_STATUS csr_parse_bss_description_ies(struct mac_context *mac_ctx, 
	int ieLen;



	ieFields_offset = GET_FIELD_OFFSET(struct bss_description, ieFields);

	if (!bss_desc->length ||

	    (bss_desc->length - sizeof(bss_desc->length) <= ieFields_offset))

	if (bss_desc->length <= (ieFields_offset - sizeof(bss_desc->length))) {

		sme_err_rl("Invalid bss_desc IES: len:%d ie_fields_offset:%d",

			   bss_desc->length, ieFields_offset);

		return status;

	}



	ieLen =	(int)(bss_desc->length + sizeof(bss_desc->length) -

		ieFields_offset);