From 74d06cf802818ee8baaa4804cb5216dc62ff7e78 Mon Sep 17 00:00:00 2001
From: Abhishek Singh <absingh@codeaurora.org>
Date: Fri, 6 Sep 2019 09:23:22 +0530
Subject: [PATCH] qcacld-3.0: Fix improper QCN IE length filled

While filling the QCN IE the IE length filled is 11 while actual
length is 8 and thus this lead to improper IE length in scan
additional ie while copying the default_scan_ies.

So fix the QCN IE length and add check for improper IE length check
while copying IE in scan additional ie.

Change-Id: I372af8c206d8f7ce0e93bc9c0fb14e222c6eb87e
CRs-Fixed: 2522208
---
 core/hdd/src/wlan_hdd_cfg80211.c |  3 ++-
 core/hdd/src/wlan_hdd_main.c     |  1 +
 core/hdd/src/wlan_hdd_scan.c     |  6 ++++++
 core/sme/src/common/sme_api.c    |  2 +-
 core/sme/src/csr/csr_api_roam.c  | 12 ++++--------
 5 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/core/hdd/src/wlan_hdd_cfg80211.c b/core/hdd/src/wlan_hdd_cfg80211.c
index 301c03ecd8a7c..54c1a53dfb432 100644
--- a/core/hdd/src/wlan_hdd_cfg80211.c
+++ b/core/hdd/src/wlan_hdd_cfg80211.c
@@ -6248,7 +6248,8 @@ static int wlan_hdd_save_default_scan_ies(struct hdd_context *hdd_ctx,
 			       scan_info->default_scan_ies,
 			       &scan_info->default_scan_ies_len);
 
-	hdd_debug("Saved default scan IE:");
+	hdd_debug("Saved default scan IE:len %d",
+		  scan_info->default_scan_ies_len);
 	qdf_trace_hex_dump(QDF_MODULE_ID_HDD, QDF_TRACE_LEVEL_DEBUG,
 				(uint8_t *) scan_info->default_scan_ies,
 				scan_info->default_scan_ies_len);
diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c
index a23a2a71d3041..849ee48b7c266 100644
--- a/core/hdd/src/wlan_hdd_main.c
+++ b/core/hdd/src/wlan_hdd_main.c
@@ -6098,6 +6098,7 @@ QDF_STATUS hdd_stop_adapter(struct hdd_context *hdd_ctx,
 	if (adapter->scan_info.default_scan_ies) {
 		qdf_mem_free(adapter->scan_info.default_scan_ies);
 		adapter->scan_info.default_scan_ies = NULL;
+		adapter->scan_info.default_scan_ies_len = 0;
 	}
 
 	hdd_exit();
diff --git a/core/hdd/src/wlan_hdd_scan.c b/core/hdd/src/wlan_hdd_scan.c
index 12a05e991757c..1ac572cb3b614 100644
--- a/core/hdd/src/wlan_hdd_scan.c
+++ b/core/hdd/src/wlan_hdd_scan.c
@@ -353,6 +353,12 @@ static int wlan_hdd_update_scan_ies(struct hdd_adapter *adapter,
 		elem_len = *temp_ie++;
 		rem_len -= 2;
 
+		if (elem_len > rem_len) {
+			hdd_err("Invalid element len %d for elem %d", elem_len,
+				elem_id);
+			return 0;
+		}
+
 		switch (elem_id) {
 		case DOT11F_EID_EXTCAP:
 			if (!wlan_get_ie_ptr_from_eid(DOT11F_EID_EXTCAP,
diff --git a/core/sme/src/common/sme_api.c b/core/sme/src/common/sme_api.c
index 7505ea0fb6da0..d9d481b732ca7 100644
--- a/core/sme/src/common/sme_api.c
+++ b/core/sme/src/common/sme_api.c
@@ -14848,7 +14848,7 @@ void sme_add_qcn_ie(mac_handle_t mac_handle, uint8_t *ie_data,
 		    uint16_t *ie_len)
 {
 	struct mac_context *mac_ctx = MAC_CONTEXT(mac_handle);
-	uint8_t qcn_ie[] = {WLAN_ELEMID_VENDOR, DOT11F_IE_QCN_IE_MAX_LEN,
+	uint8_t qcn_ie[] = {WLAN_ELEMID_VENDOR, 8,
 			    0x8C, 0xFD, 0xF0, 0x1, QCN_IE_VERSION_SUBATTR_ID,
 			    QCN_IE_VERSION_SUBATTR_DATA_LEN,
 			    QCN_IE_VERSION_SUPPORTED,
diff --git a/core/sme/src/csr/csr_api_roam.c b/core/sme/src/csr/csr_api_roam.c
index 3c85d9d1449e7..2639300885ed3 100644
--- a/core/sme/src/csr/csr_api_roam.c
+++ b/core/sme/src/csr/csr_api_roam.c
@@ -18825,11 +18825,9 @@ static void csr_update_driver_assoc_ies(struct mac_context *mac_ctx,
 	uint8_t supp_chan_ie[DOT11F_IE_SUPPCHANNELS_MAX_LEN], supp_chan_ie_len;
 
 #ifdef FEATURE_WLAN_ESE
-	uint8_t ese_ie[DOT11F_IE_ESEVERSION_MAX_LEN]
-			= { 0x0, 0x40, 0x96, 0x3, ESE_VERSION_SUPPORTED};
+	uint8_t ese_ie[] = { 0x0, 0x40, 0x96, 0x3, ESE_VERSION_SUPPORTED};
 #endif
-	uint8_t qcn_ie[DOT11F_IE_QCN_IE_MAX_LEN]
-			= {0x8C, 0xFD, 0xF0, 0x1, QCN_IE_VERSION_SUBATTR_ID,
+	uint8_t qcn_ie[] = {0x8C, 0xFD, 0xF0, 0x1, QCN_IE_VERSION_SUBATTR_ID,
 				QCN_IE_VERSION_SUBATTR_DATA_LEN,
 				QCN_IE_VERSION_SUPPORTED,
 				QCN_IE_SUBVERSION_SUPPORTED};
@@ -18866,8 +18864,7 @@ static void csr_update_driver_assoc_ies(struct mac_context *mac_ctx,
 	/* Append ESE version IE if isEseIniFeatureEnabled INI is enabled */
 	if (mac_ctx->mlme_cfg->lfr.ese_enabled)
 		csr_append_assoc_ies(mac_ctx, req_buf, WLAN_ELEMID_VENDOR,
-					DOT11F_IE_ESEVERSION_MAX_LEN,
-					ese_ie);
+				     sizeof(ese_ie), ese_ie);
 #endif
 
 	if (mac_ctx->rrm.rrmPEContext.rrmEnable) {
@@ -18887,8 +18884,7 @@ static void csr_update_driver_assoc_ies(struct mac_context *mac_ctx,
 	/* Append QCN IE if g_support_qcn_ie INI is enabled */
 	if (mac_ctx->mlme_cfg->sta.qcn_ie_support)
 		csr_append_assoc_ies(mac_ctx, req_buf, WLAN_ELEMID_VENDOR,
-					DOT11F_IE_QCN_IE_MAX_LEN,
-					qcn_ie);
+				     sizeof(qcn_ie), qcn_ie);
 }
 
 /**