prima: Skip an IE if found more its max times in a frame

Check if a IE has been encountered more than max possible for that IE while parsing a frame. Change-Id: I1054c7df18780469849be55fc4343f09ac502a49 CRs-Fixed: 2069927 Fix CVE-2017-11013 Change-Id: I41b97a29cf984e0fc605a22f6f6abfc07880976c
2024-11-06 23:17:41 +00:00 · 2017-11-13 17:51:45 -08:00 · 2017-11-13 17:51:45 -08:00 · 4556591e9b
commit 4556591e9b
parent f35f655694
2 changed files with 6 additions and 1 deletions
--- a/drivers/staging/prima/CORE/MAC/src/include/dot11f.h
+++ b/drivers/staging/prima/CORE/MAC/src/include/dot11f.h
@ -106,8 +106,8 @@ typedef tANI_U32 tDOT11F_U64[2];
 #define DOT11F_BUFFER_OVERFLOW       ( 0x10000005 )
 #define DOT11F_MANDATORY_TLV_MISSING ( 0x00001000 )
 #define DOT11F_FAILED(code)          ( (code) & 0x10000000 )
-#define DOT11F_WARNED(code)          ( ( ( 0 == (code) ) & 0x10000000 ) && code)
 #define DOT11F_SUCCEEDED(code)       ( (code) == 0 )
+#define DOT11F_WARNED(code)          (!DOT11F_SUCCEEDED(code) && !DOT11F_FAILED(code))

 /*********************************************************************
 * Fixed Fields                                                      *
--- a/drivers/staging/prima/CORE/SYS/legacy/src/utils/src/dot11f.c
+++ b/drivers/staging/prima/CORE/SYS/legacy/src/utils/src/dot11f.c
@ -20089,6 +20089,10 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx,
                }

        countOffset = ( (0 != pIe->arraybound) * ( *(tANI_U16* )(pFrm + pIe->countOffset)));
+            if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
+              status |= DOT11F_DUPLICATE_IE;
+              goto skip_dup_ie;
+            }
                switch (pIe->sig)
                {
                case SigIeAPName:
@ -20548,6 +20552,7 @@ static tANI_U32 UnpackCore(tpAniSirGlobal pCtx,
            status |= DOT11F_UNKNOWN_IES;
        }

+skip_dup_ie:
        pBufRemaining += len;

         if (len > nBufRemaining)