qcacld-3.0: Fix improper QCN IE length filled

While filling the QCN IE the IE length filled is 11 while actual length is 8 and thus this lead to improper IE length in scan additional ie while copying the default_scan_ies. So fix the QCN IE length and add check for improper IE length check while copying IE in scan additional ie. Change-Id: I372af8c206d8f7ce0e93bc9c0fb14e222c6eb87e CRs-Fixed: 2522208
2019-09-06 09:23:22 +05:30 · 2019-09-06 09:23:22 +05:30 · 74d06cf802
commit 74d06cf802
parent 5324ac644c
5 changed files with 14 additions and 10 deletions
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@ -6248,7 +6248,8 @@ static int wlan_hdd_save_default_scan_ies(struct hdd_context *hdd_ctx,
 			       scan_info->default_scan_ies,
 			       &scan_info->default_scan_ies_len);

-	hdd_debug("Saved default scan IE:");
+	hdd_debug("Saved default scan IE:len %d",
+		  scan_info->default_scan_ies_len);
 	qdf_trace_hex_dump(QDF_MODULE_ID_HDD, QDF_TRACE_LEVEL_DEBUG,
 				(uint8_t *) scan_info->default_scan_ies,
 				scan_info->default_scan_ies_len);
--- a/core/hdd/src/wlan_hdd_main.c
+++ b/core/hdd/src/wlan_hdd_main.c
@ -6098,6 +6098,7 @@ QDF_STATUS hdd_stop_adapter(struct hdd_context *hdd_ctx,
 	if (adapter->scan_info.default_scan_ies) {
 		qdf_mem_free(adapter->scan_info.default_scan_ies);
 		adapter->scan_info.default_scan_ies = NULL;
+		adapter->scan_info.default_scan_ies_len = 0;
 	}

 	hdd_exit();
--- a/core/hdd/src/wlan_hdd_scan.c
+++ b/core/hdd/src/wlan_hdd_scan.c
@ -353,6 +353,12 @@ static int wlan_hdd_update_scan_ies(struct hdd_adapter *adapter,
 		elem_len = *temp_ie++;
 		rem_len -= 2;

+		if (elem_len > rem_len) {
+			hdd_err("Invalid element len %d for elem %d", elem_len,
+				elem_id);
+			return 0;
+		}
+
 		switch (elem_id) {
 		case DOT11F_EID_EXTCAP:
 			if (!wlan_get_ie_ptr_from_eid(DOT11F_EID_EXTCAP,
--- a/core/sme/src/common/sme_api.c
+++ b/core/sme/src/common/sme_api.c
@ -14848,7 +14848,7 @@ void sme_add_qcn_ie(mac_handle_t mac_handle, uint8_t *ie_data,
 		    uint16_t *ie_len)
 {
 	struct mac_context *mac_ctx = MAC_CONTEXT(mac_handle);
-	uint8_t qcn_ie[] = {WLAN_ELEMID_VENDOR, DOT11F_IE_QCN_IE_MAX_LEN,
+	uint8_t qcn_ie[] = {WLAN_ELEMID_VENDOR, 8,
 			    0x8C, 0xFD, 0xF0, 0x1, QCN_IE_VERSION_SUBATTR_ID,
 			    QCN_IE_VERSION_SUBATTR_DATA_LEN,
 			    QCN_IE_VERSION_SUPPORTED,
--- a/core/sme/src/csr/csr_api_roam.c
+++ b/core/sme/src/csr/csr_api_roam.c
@ -18825,11 +18825,9 @@ static void csr_update_driver_assoc_ies(struct mac_context *mac_ctx,
 	uint8_t supp_chan_ie[DOT11F_IE_SUPPCHANNELS_MAX_LEN], supp_chan_ie_len;

 #ifdef FEATURE_WLAN_ESE
-	uint8_t ese_ie[DOT11F_IE_ESEVERSION_MAX_LEN]
-			= { 0x0, 0x40, 0x96, 0x3, ESE_VERSION_SUPPORTED};
+	uint8_t ese_ie[] = { 0x0, 0x40, 0x96, 0x3, ESE_VERSION_SUPPORTED};
 #endif
-	uint8_t qcn_ie[DOT11F_IE_QCN_IE_MAX_LEN]
-			= {0x8C, 0xFD, 0xF0, 0x1, QCN_IE_VERSION_SUBATTR_ID,
+	uint8_t qcn_ie[] = {0x8C, 0xFD, 0xF0, 0x1, QCN_IE_VERSION_SUBATTR_ID,
 				QCN_IE_VERSION_SUBATTR_DATA_LEN,
 				QCN_IE_VERSION_SUPPORTED,
 				QCN_IE_SUBVERSION_SUPPORTED};
@ -18866,8 +18864,7 @@ static void csr_update_driver_assoc_ies(struct mac_context *mac_ctx,
 	/* Append ESE version IE if isEseIniFeatureEnabled INI is enabled */
 	if (mac_ctx->mlme_cfg->lfr.ese_enabled)
 		csr_append_assoc_ies(mac_ctx, req_buf, WLAN_ELEMID_VENDOR,
-					DOT11F_IE_ESEVERSION_MAX_LEN,
-					ese_ie);
+				     sizeof(ese_ie), ese_ie);
 #endif

 	if (mac_ctx->rrm.rrmPEContext.rrmEnable) {
@ -18887,8 +18884,7 @@ static void csr_update_driver_assoc_ies(struct mac_context *mac_ctx,
 	/* Append QCN IE if g_support_qcn_ie INI is enabled */
 	if (mac_ctx->mlme_cfg->sta.qcn_ie_support)
 		csr_append_assoc_ies(mac_ctx, req_buf, WLAN_ELEMID_VENDOR,
-					DOT11F_IE_QCN_IE_MAX_LEN,
-					qcn_ie);
+				     sizeof(qcn_ie), qcn_ie);
 }

 /**