Merge branch 'android-msm-bluecross-4.9-pi-qpr1' into android-msm-bluecross-4.9-pi-qpr2
JULY 2019.3
Bug: 131239907
Change-Id: Iee30975dc5eceececdedcd5761b1245cf64e316b
Signed-off-by: Kelly Rossmoyer <krossmo@google.com>
diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c
index 9ccc966..8f5a945 100644
--- a/core/hdd/src/wlan_hdd_main.c
+++ b/core/hdd/src/wlan_hdd_main.c
@@ -8306,6 +8306,8 @@
hdd_adapter_t *adapter = NULL;
void *cds_context = NULL;
int i;
+ struct ieee80211_mgmt *mgmt =
+ (struct ieee80211_mgmt *)frame_ind->frameBuf;
/* Get the global VOSS context.*/
cds_context = cds_get_global_context();
@@ -8319,6 +8321,11 @@
if (0 != wlan_hdd_validate_context(hdd_ctx))
return;
+ if (frame_ind->frame_len < ieee80211_hdrlen(mgmt->frame_control)) {
+ hdd_err(" Invalid frame length");
+ return;
+ }
+
if (SME_SESSION_ID_ANY == frame_ind->sessionId) {
for (i = 0; i < CSR_ROAM_SESSION_MAX; i++) {
adapter =
diff --git a/core/mac/src/pe/lim/lim_process_disassoc_frame.c b/core/mac/src/pe/lim/lim_process_disassoc_frame.c
index c8ae79f..e36ecc9 100644
--- a/core/mac/src/pe/lim/lim_process_disassoc_frame.c
+++ b/core/mac/src/pe/lim/lim_process_disassoc_frame.c
@@ -77,13 +77,12 @@
uint16_t aid, reasonCode;
tpSirMacMgmtHdr pHdr;
tpDphHashNode pStaDs;
-#ifdef WLAN_FEATURE_11W
- uint32_t frameLen;
-#endif
+ uint32_t frame_len;
int32_t frame_rssi;
pHdr = WMA_GET_RX_MAC_HEADER(pRxPacketInfo);
pBody = WMA_GET_RX_MPDU_DATA(pRxPacketInfo);
+ frame_len = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
frame_rssi = (int32_t)WMA_GET_RX_RSSI_NORMALIZED(pRxPacketInfo);
@@ -137,11 +136,10 @@
/* If the frame received is unprotected, forward it to the supplicant to initiate */
/* an SA query */
- frameLen = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
/* send the unprotected frame indication to SME */
lim_send_sme_unprotected_mgmt_frame_ind(pMac, pHdr->fc.subType,
(uint8_t *) pHdr,
- (frameLen +
+ (frame_len +
sizeof(tSirMacMgmtHdr)),
psessionEntry->smeSessionId,
psessionEntry);
@@ -149,6 +147,11 @@
}
#endif
+ if (frame_len < 2) {
+ pe_err("frame len less than 2");
+ return;
+ }
+
/* Get reasonCode from Disassociation frame body */
reasonCode = sir_read_u16(pBody);
diff --git a/core/sme/src/rrm/sme_rrm.c b/core/sme/src/rrm/sme_rrm.c
index 38b7560..8e7cba1 100644
--- a/core/sme/src/rrm/sme_rrm.c
+++ b/core/sme/src/rrm/sme_rrm.c
@@ -845,6 +845,14 @@
sme_debug("Received Beacon report request ind Channel = %d",
pBeaconReq->channelInfo.channelNum);
+
+ if (pBeaconReq->channelList.numChannels >
+ SIR_ESE_MAX_MEAS_IE_REQS) {
+ sme_err("Beacon report request numChannels:%u exceeds max num channels",
+ pBeaconReq->channelList.numChannels);
+ return QDF_STATUS_E_INVAL;
+ }
+
/* section 11.10.8.1 (IEEE Std 802.11k-2008) */
/* channel 0 and 255 has special meaning. */
if ((pBeaconReq->channelInfo.channelNum == 0) ||
