diff options
| author | Harrison Lingren <hlingren@google.com> | 2019-04-12 15:20:47 -0700 |
|---|---|---|
| committer | Harrison Lingren <hlingren@google.com> | 2019-04-12 15:20:47 -0700 |
| commit | 92605b1b55ecd5d7991a4c5c8383da9a43d65eee (patch) | |
| tree | 37ed3697bd31ba8fb4fdd963e96e37087c0dd812 | |
| parent | a429a8e418f806005e49ac5cd0f9aebdb503a40f (diff) | |
| parent | f722393a5f635a977fd556d1e9d4b02f91ca8c5c (diff) | |
Merge branch 'android-msm-wahoo-4.4-pi-qpr2' into android-msm-wahoo-4.4-pi-qpr3android-9.0.0_r0.92
JUN 2019.4
Bug: 129970700
Change-Id: I6c88166fe0f2c1a3f0c717124acdd9113bebadc2
Signed-off-by: Kelly Rossmoyer <krossmo@google.com>
Signed-off-by: Harrison Lingren <hlingren@google.com>
8 files changed, 2320 insertions, 56 deletions
diff --git a/drivers/media/platform/msm/vidc/hfi_response_handler.c b/drivers/media/platform/msm/vidc/hfi_response_handler.c index 3835a2e45882..f442d1fcf215 100644 --- a/drivers/media/platform/msm/vidc/hfi_response_handler.c +++ b/drivers/media/platform/msm/vidc/hfi_response_handler.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2016,2019 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -603,6 +603,11 @@ static int hfi_fill_codec_info(u8 *data_ptr, vidc_get_hal_codec((1 << i) & codecs); capability->domain = vidc_get_hal_domain(HFI_VIDEO_DOMAIN_DECODER); + if (codec_count == VIDC_MAX_DECODE_SESSIONS) { + dprintk(VIDC_ERR, + "Max supported decoder sessions reached"); + break; + } } } codecs = sys_init_done->enc_codec_supported; @@ -614,6 +619,11 @@ static int hfi_fill_codec_info(u8 *data_ptr, vidc_get_hal_codec((1 << i) & codecs); capability->domain = vidc_get_hal_domain(HFI_VIDEO_DOMAIN_ENCODER); + if (codec_count == VIDC_MAX_SESSIONS) { + dprintk(VIDC_ERR, + "Max supported sessions reached"); + break; + } } } sys_init_done->codec_count = codec_count; diff --git a/drivers/media/platform/msm/vidc/venus_hfi.c b/drivers/media/platform/msm/vidc/venus_hfi.c index a2eb4045e6a0..cf659767262e 100644 --- a/drivers/media/platform/msm/vidc/venus_hfi.c +++ b/drivers/media/platform/msm/vidc/venus_hfi.c @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2018, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2019, The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -328,7 +328,7 @@ static int __write_queue(struct vidc_iface_q_info *qinfo, u8 *packet, { struct hfi_queue_header *queue; u32 packet_size_in_words, new_write_idx; - u32 empty_space, read_idx; + u32 empty_space, read_idx, write_idx; u32 *write_ptr; if (!qinfo || !packet) { @@ -351,16 +351,18 @@ static int __write_queue(struct vidc_iface_q_info *qinfo, u8 *packet, } packet_size_in_words = (*(u32 *)packet) >> 2; - if (!packet_size_in_words) { - dprintk(VIDC_ERR, "Zero packet size\n"); + if (!packet_size_in_words || packet_size_in_words > + qinfo->q_array.mem_size>>2) { + dprintk(VIDC_ERR, "Invalid packet size\n"); return -ENODATA; } read_idx = queue->qhdr_read_idx; + write_idx = queue->qhdr_write_idx; - empty_space = (queue->qhdr_write_idx >= read_idx) ? - (queue->qhdr_q_size - (queue->qhdr_write_idx - read_idx)) : - (read_idx - queue->qhdr_write_idx); + empty_space = (write_idx >= read_idx) ? + ((qinfo->q_array.mem_size>>2) - (write_idx - read_idx)) : + (read_idx - write_idx); if (empty_space <= packet_size_in_words) { queue->qhdr_tx_req = 1; dprintk(VIDC_ERR, "Insufficient size (%d) to write (%d)\n", @@ -370,13 +372,20 @@ static int __write_queue(struct vidc_iface_q_info *qinfo, u8 *packet, queue->qhdr_tx_req = 0; - new_write_idx = (queue->qhdr_write_idx + packet_size_in_words); + new_write_idx = write_idx + packet_size_in_words; write_ptr = (u32 *)((qinfo->q_array.align_virtual_addr) + - (queue->qhdr_write_idx << 2)); - if (new_write_idx < queue->qhdr_q_size) { + (write_idx << 2)); + if (write_ptr < (u32 *)qinfo->q_array.align_virtual_addr || + write_ptr > (u32 *)(qinfo->q_array.align_virtual_addr + + qinfo->q_array.mem_size)) { + dprintk(VIDC_ERR, "Invalid write index"); + return -ENODATA; + } + + if (new_write_idx < (qinfo->q_array.mem_size >> 2)) { memcpy(write_ptr, packet, packet_size_in_words << 2); } else { - new_write_idx -= queue->qhdr_q_size; + new_write_idx -= qinfo->q_array.mem_size >> 2; memcpy(write_ptr, packet, (packet_size_in_words - new_write_idx) << 2); memcpy((void *)qinfo->q_array.align_virtual_addr, @@ -468,7 +477,8 @@ static int __read_queue(struct vidc_iface_q_info *qinfo, u8 *packet, u32 packet_size_in_words, new_read_idx; u32 *read_ptr; u32 receive_request = 0; - int rc = 0; + u32 read_idx, write_idx; + int rc = 0; if (!qinfo || !packet || !pb_tx_req_is_set) { dprintk(VIDC_ERR, "Invalid Params\n"); @@ -499,7 +509,10 @@ static int __read_queue(struct vidc_iface_q_info *qinfo, u8 *packet, if (queue->qhdr_type & HFI_Q_ID_CTRL_TO_HOST_MSG_Q) receive_request = 1; - if (queue->qhdr_read_idx == queue->qhdr_write_idx) { + read_idx = queue->qhdr_read_idx; + write_idx = queue->qhdr_write_idx; + + if (read_idx == write_idx) { queue->qhdr_rx_req = receive_request; *pb_tx_req_is_set = 0; dprintk(VIDC_DBG, @@ -511,21 +524,28 @@ static int __read_queue(struct vidc_iface_q_info *qinfo, u8 *packet, } read_ptr = (u32 *)((qinfo->q_array.align_virtual_addr) + - (queue->qhdr_read_idx << 2)); + (read_idx << 2)); + if (read_ptr < (u32 *)qinfo->q_array.align_virtual_addr || + read_ptr > (u32 *)(qinfo->q_array.align_virtual_addr + + qinfo->q_array.mem_size - sizeof(*read_ptr))) { + dprintk(VIDC_ERR, "Invalid read index\n"); + return -ENODATA; + } + packet_size_in_words = (*read_ptr) >> 2; if (!packet_size_in_words) { dprintk(VIDC_ERR, "Zero packet size\n"); return -ENODATA; } - new_read_idx = queue->qhdr_read_idx + packet_size_in_words; - if (((packet_size_in_words << 2) <= VIDC_IFACEQ_VAR_HUGE_PKT_SIZE) - && queue->qhdr_read_idx <= queue->qhdr_q_size) { - if (new_read_idx < queue->qhdr_q_size) { + new_read_idx = read_idx + packet_size_in_words; + if (((packet_size_in_words << 2) <= VIDC_IFACEQ_VAR_HUGE_PKT_SIZE) && + read_idx <= (qinfo->q_array.mem_size >> 2)) { + if (new_read_idx < (qinfo->q_array.mem_size >> 2)) { memcpy(packet, read_ptr, packet_size_in_words << 2); } else { - new_read_idx -= queue->qhdr_q_size; + new_read_idx -= (qinfo->q_array.mem_size >> 2); memcpy(packet, read_ptr, (packet_size_in_words - new_read_idx) << 2); memcpy(packet + ((packet_size_in_words - @@ -536,19 +556,19 @@ static int __read_queue(struct vidc_iface_q_info *qinfo, u8 *packet, } else { dprintk(VIDC_WARN, "BAD packet received, read_idx: %#x, pkt_size: %d\n", - queue->qhdr_read_idx, packet_size_in_words << 2); + read_idx, packet_size_in_words << 2); dprintk(VIDC_WARN, "Dropping this packet\n"); - new_read_idx = queue->qhdr_write_idx; + new_read_idx = write_idx; rc = -ENODATA; } - queue->qhdr_read_idx = new_read_idx; - - if (queue->qhdr_read_idx != queue->qhdr_write_idx) + if (new_read_idx != write_idx) queue->qhdr_rx_req = 0; else queue->qhdr_rx_req = receive_request; + queue->qhdr_read_idx = new_read_idx; + *pb_tx_req_is_set = (1 == queue->qhdr_tx_req) ? 1 : 0; if (msm_vidc_debug & VIDC_PKT) { diff --git a/drivers/media/platform/msm/vidc/vidc_hfi_api.h b/drivers/media/platform/msm/vidc/vidc_hfi_api.h index 820c8685a75b..20f36940e91d 100644 --- a/drivers/media/platform/msm/vidc/vidc_hfi_api.h +++ b/drivers/media/platform/msm/vidc/vidc_hfi_api.h @@ -1,4 +1,4 @@ -/* Copyright (c) 2012-2016, The Linux Foundation. All rights reserved. +/* Copyright (c) 2012-2016,2019 The Linux Foundation. All rights reserved. * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2 and @@ -66,6 +66,9 @@ /* 16 encoder and 16 decoder sessions */ #define VIDC_MAX_SESSIONS 32 +#define VIDC_MAX_DECODE_SESSIONS 16 +#define VIDC_MAX_ENCODE_SESSIONS 16 + enum vidc_status { VIDC_ERR_NONE = 0x0, diff --git a/drivers/media/usb/uvc/uvc_driver.c b/drivers/media/usb/uvc/uvc_driver.c index 885f689ac870..f2e3fdf385cc 100644 --- a/drivers/media/usb/uvc/uvc_driver.c +++ b/drivers/media/usb/uvc/uvc_driver.c @@ -1019,11 +1019,19 @@ static int uvc_parse_standard_control(struct uvc_device *dev, return -EINVAL; } - /* Make sure the terminal type MSB is not null, otherwise it - * could be confused with a unit. + /* + * Reject invalid terminal types that would cause issues: + * + * - The high byte must be non-zero, otherwise it would be + * confused with a unit. + * + * - Bit 15 must be 0, as we use it internally as a terminal + * direction flag. + * + * Other unknown types are accepted. */ type = get_unaligned_le16(&buffer[4]); - if ((type & 0xff00) == 0) { + if ((type & 0x7f00) == 0 || (type & 0x8000) != 0) { uvc_trace(UVC_TRACE_DESCR, "device %d videocontrol " "interface %d INPUT_TERMINAL %d has invalid " "type 0x%04x, skipping\n", udev->devnum, diff --git a/drivers/staging/qcacld-3.0/core/mac/src/include/dot11f.h b/drivers/staging/qcacld-3.0/core/mac/src/include/dot11f.h index 7087926c5515..d686d12da56e 100644 --- a/drivers/staging/qcacld-3.0/core/mac/src/include/dot11f.h +++ b/drivers/staging/qcacld-3.0/core/mac/src/include/dot11f.h @@ -35,7 +35,7 @@ * * * This file was automatically generated by 'framesc' - * Fri Feb 16 10:33:08 2018 from the following file(s): + * Wed May 23 09:57:10 2018 from the following file(s): * * dot11f.frms * @@ -57,6 +57,10 @@ typedef uint32_t tDOT11F_U64[2]; #define __must_check #endif +#if !defined unlikely +#define unlikely(x) (x) +#endif + /* * Frames Return Codes: * diff --git a/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/dot11f.c index 4c83e587aa54..c55a1fa01f9d 100644 --- a/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/dot11f.c +++ b/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/dot11f.c @@ -33,7 +33,7 @@ * * * This file was automatically generated by 'framesc' - * Fri Feb 16 10:33:08 2018 from the following file(s): + * Wed May 23 09:57:10 2018 from the following file(s): * * dot11f.frms * @@ -823,6 +823,11 @@ uint32_t dot11f_unpack_tlv_authorized_ma_cs(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->mac, pBuf, 6); pBuf += 6; tlvlen -= (uint8_t)6; @@ -844,6 +849,11 @@ uint32_t dot11f_unpack_tlv_version2(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; uint8_t tmp5__; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp5__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -901,9 +911,19 @@ uint32_t dot11f_unpack_tlv_extended_listen_timing(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->availibilityPeriod, pBuf, 0); pBuf += 2; tlvlen -= (uint8_t)2; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->availibilityInterval, pBuf, 0); pBuf += 2; tlvlen -= (uint8_t)2; @@ -921,12 +941,27 @@ uint32_t dot11f_unpack_tlv_listen_channel(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryString, pBuf, 3); pBuf += 3; tlvlen -= (uint8_t)3; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1016,9 +1051,19 @@ uint32_t dot11f_unpack_tlv_notice_of_absence(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->index = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->CTSWindowOppPS = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1045,12 +1090,27 @@ uint32_t dot11f_unpack_tlv_operating_channel(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryString, pBuf, 3); pBuf += 3; tlvlen -= (uint8_t)3; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1068,9 +1128,19 @@ uint32_t dot11f_unpack_tlv_p2_p_capability(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->deviceCapability = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->groupCapability = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1088,6 +1158,11 @@ uint32_t dot11f_unpack_tlv_p2_p_device_id(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (uint8_t)6; @@ -1112,12 +1187,27 @@ uint32_t dot11f_unpack_tlv_p2_p_device_info(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (uint8_t)6; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->configMethod, pBuf, 0); pBuf += 2; tlvlen -= (uint8_t)2; + if (unlikely(tlvlen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->primaryDeviceType, pBuf, 8); pBuf += 8; tlvlen -= (uint8_t)8; @@ -1163,12 +1253,27 @@ uint32_t dot11f_unpack_tlv_primary_device_type(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; (void)pBuf; (void)tlvlen; /* Shutup the compiler */ pDst->present = 1; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->primary_category, pBuf, 1); pBuf += 2; tlvlen -= (uint8_t)2; + if (unlikely(tlvlen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->oui, pBuf, 4); pBuf += 4; tlvlen -= (uint8_t)4; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->sub_category, pBuf, 1); pBuf += 2; tlvlen -= (uint8_t)2; @@ -1189,12 +1294,27 @@ uint32_t dot11f_unpack_tlv_request_device_type(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->primary_category, pBuf, 1); pBuf += 2; tlvlen -= (uint8_t)2; + if (unlikely(tlvlen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->oui, pBuf, 4); pBuf += 4; tlvlen -= (uint8_t)4; + if (unlikely(tlvlen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->sub_category, pBuf, 1); pBuf += 2; tlvlen -= (uint8_t)2; @@ -1247,6 +1367,11 @@ uint32_t dot11f_unpack_tlv_uuid_e(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->uuid, pBuf, 16); pBuf += 16; tlvlen -= (uint8_t)16; @@ -1264,6 +1389,11 @@ uint32_t dot11f_unpack_tlv_uuid_r(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->uuid, pBuf, 16); pBuf += 16; tlvlen -= (uint8_t)16; @@ -1295,6 +1425,11 @@ uint32_t dot11f_unpack_tlv_vendor_extension(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->vendorId, pBuf, 3); pBuf += 3; tlvlen -= (uint8_t)3; @@ -1319,6 +1454,11 @@ uint32_t dot11f_unpack_tlv_version(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; uint8_t tmp6__; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp6__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -1356,6 +1496,11 @@ uint32_t dot11f_unpack_tlv_non_prefferd_chan_rep(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->oper_class = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1383,6 +1528,11 @@ uint32_t dot11f_unpack_tlv_oce_cap(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; uint8_t tmp7__; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp7__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -1405,6 +1555,11 @@ uint32_t dot11f_unpack_tlv_reduced_wan_metrics(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; uint8_t tmp8__; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp8__ = *pBuf; pBuf += 1; tlvlen -= 1; @@ -1424,9 +1579,19 @@ uint32_t dot11f_unpack_tlv_rssi_assoc_rej(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->delta_rssi = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; + if (unlikely(tlvlen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->retry_delay = *pBuf; pBuf += 1; tlvlen -= (uint8_t)1; @@ -1450,6 +1615,11 @@ uint32_t dot11f_unpack_tlv_p2_p_interface(tpAniSirGlobal pCtx, { uint32_t status = DOT11F_PARSE_SUCCESS; pDst->present = 1; + if (unlikely(tlvlen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->P2PDeviceAddress, pBuf, 6); pBuf += 6; tlvlen -= (uint8_t)6; @@ -1475,14 +1645,29 @@ uint32_t dot11f_unpack_ie_gtk(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp9__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->keyId = tmp9__ >> 0 & 0x3; pDst->reserved = tmp9__ >> 2 & 0x3feb; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->keyLength = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->RSC, pBuf, 8); pBuf += 8; ielen -= (uint8_t)8; @@ -1511,15 +1696,35 @@ uint32_t dot11f_unpack_ie_igtk(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->keyID, pBuf, 2); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->IPN, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->keyLength = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 24)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->key, pBuf, 24); (void)pCtx; return status; @@ -1564,6 +1769,11 @@ uint32_t dot11f_unpack_ie_r1_kh_id(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->PMK_R1_ID, pBuf, 6); (void)pCtx; return status; @@ -1583,6 +1793,11 @@ uint32_t dot11f_unpack_ie_ap_channel_report(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -1611,6 +1826,11 @@ uint32_t dot11f_unpack_ie_bcn_reporting_detail(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reportingDetail = *pBuf; (void)pCtx; return status; @@ -1655,9 +1875,19 @@ uint32_t dot11f_unpack_ie_beacon_reporting(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reportingCondition = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->threshold = *pBuf; (void)pCtx; return status; @@ -1677,6 +1907,11 @@ uint32_t dot11f_unpack_ie_condensed_country_str(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->countryStr, pBuf, 2); (void)pCtx; return status; @@ -1696,6 +1931,11 @@ uint32_t dot11f_unpack_ie_measurement_pilot(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurementPilot = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -1719,6 +1959,11 @@ uint32_t dot11f_unpack_ie_multi_bssid(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->maxBSSIDIndicator = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -1742,12 +1987,27 @@ uint32_t dot11f_unpack_ie_ric_data(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->Identifier = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->resourceDescCount = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->statusCode, pBuf, 0); (void)pCtx; return status; @@ -1767,6 +2027,11 @@ uint32_t dot11f_unpack_ie_ric_descriptor(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->resourceType = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -1795,6 +2060,11 @@ uint32_t dot11f_unpack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp10__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1806,6 +2076,11 @@ uint32_t dot11f_unpack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, pDst->BeaconActive = tmp10__ >> 5 & 0x1; pDst->BeaconTable = tmp10__ >> 6 & 0x1; pDst->BeaconRepCond = tmp10__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp11__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1817,6 +2092,11 @@ uint32_t dot11f_unpack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, pDst->LCIAzimuth = tmp11__ >> 5 & 0x1; pDst->TCMCapability = tmp11__ >> 6 & 0x1; pDst->triggeredTCM = tmp11__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp12__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1824,6 +2104,11 @@ uint32_t dot11f_unpack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, pDst->RRMMIBEnabled = tmp12__ >> 1 & 0x1; pDst->operatingChanMax = tmp12__ >> 2 & 0x7; pDst->nonOperatinChanMax = tmp12__ >> 5 & 0x7; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp13__ = *pBuf; pBuf += 1; ielen -= 1; @@ -1833,6 +2118,11 @@ uint32_t dot11f_unpack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, pDst->RCPIMeasurement = tmp13__ >> 5 & 0x1; pDst->RSNIMeasurement = tmp13__ >> 6 & 0x1; pDst->BssAvgAccessDelay = tmp13__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp14__ = *pBuf; pDst->BSSAvailAdmission = tmp14__ >> 0 & 0x1; pDst->AntennaInformation = tmp14__ >> 1 & 0x1; @@ -1905,6 +2195,11 @@ uint32_t dot11f_unpack_ie_schedule(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp15__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -1912,15 +2207,35 @@ uint32_t dot11f_unpack_ie_schedule(tpAniSirGlobal pCtx, pDst->tsid = tmp15__ >> 1 & 0xf; pDst->direction = tmp15__ >> 5 & 0x3; pDst->reserved = tmp15__ >> 7 & 0x1ff; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_interval, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_service_dur, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->spec_interval, pBuf, 0); (void)pCtx; return status; @@ -1940,68 +2255,163 @@ uint32_t dot11f_unpack_ie_tclas(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->user_priority = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_mask = *pBuf; pBuf += 1; ielen -= (uint8_t)1; switch (pDst->classifier_type) { case 0: + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.source, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.dest, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.EthParams.type, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; switch (pDst->info.IpParams.version) { case 4: + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.source, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.dest, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.src_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.DSCP = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.proto = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.reserved = *pBuf; pBuf += 1; ielen -= (uint8_t)1; break; case 6: + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.source, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.dest, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.src_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.flow_label, pBuf, 3); pBuf += 3; ielen -= (uint8_t)3; @@ -2009,6 +2419,11 @@ uint32_t dot11f_unpack_ie_tclas(tpAniSirGlobal pCtx, } break; case 2: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.Params8021dq.tag_type, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -2035,6 +2450,11 @@ uint32_t dot11f_unpack_ie_ts_delay(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay, pBuf, 0); (void)pCtx; return status; @@ -2054,9 +2474,19 @@ uint32_t dot11f_unpack_ie_tsf_info(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->TsfOffset, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->BeaconIntvl, pBuf, 0); (void)pCtx; return status; @@ -2079,6 +2509,11 @@ uint32_t dot11f_unpack_ie_tspec(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp16__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2090,55 +2525,135 @@ uint32_t dot11f_unpack_ie_tspec(tpAniSirGlobal pCtx, pDst->psb = tmp16__ >> 10 & 0x1; pDst->user_priority = tmp16__ >> 11 & 0x7; pDst->tsinfo_ack_pol = tmp16__ >> 14 & 0x3; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp17__ = *pBuf; pBuf += 1; ielen -= 1; pDst->schedule = tmp17__ >> 0 & 0x1; pDst->unused = tmp17__ >> 1 & 0x7f; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp18__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->size = tmp18__ >> 0 & 0x7fff; pDst->fixed = tmp18__ >> 15 & 0x1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_msdu_size, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_service_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->max_service_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->inactivity_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->suspension_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->mean_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->peak_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->burst_size, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay_bound, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_phy_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->surplus_bw_allowance, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->medium_time, pBuf, 0); (void)pCtx; return status; @@ -2161,6 +2676,11 @@ uint32_t dot11f_unpack_ie_vht_caps(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &tmp19__, pBuf, 0); pBuf += 4; ielen -= 4; @@ -2184,17 +2704,37 @@ uint32_t dot11f_unpack_ie_vht_caps(tpAniSirGlobal pCtx, pDst->rxAntPattern = tmp19__ >> 28 & 0x1; pDst->txAntPattern = tmp19__ >> 29 & 0x1; pDst->reserved1 = tmp19__ >> 30 & 0x3; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->rxMCSMap, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp20__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->rxHighSupDataRate = tmp20__ >> 0 & 0x1fff; pDst->reserved2 = tmp20__ >> 13 & 0x7; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->txMCSMap, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp21__, pBuf, 0); pDst->txSupDataRate = tmp21__ >> 0 & 0x1fff; pDst->reserved3 = tmp21__ >> 13 & 0x7; @@ -2216,15 +2756,35 @@ uint32_t dot11f_unpack_ie_vht_operation(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chanWidth = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chanCenterFreqSeg1 = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chanCenterFreqSeg2 = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->basicMCSSet, pBuf, 0); (void)pCtx; return status; @@ -2245,6 +2805,11 @@ uint32_t dot11f_unpack_ie_wmm_schedule(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2252,6 +2817,11 @@ uint32_t dot11f_unpack_ie_wmm_schedule(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp22__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2259,15 +2829,35 @@ uint32_t dot11f_unpack_ie_wmm_schedule(tpAniSirGlobal pCtx, pDst->tsid = tmp22__ >> 1 & 0xf; pDst->direction = tmp22__ >> 5 & 0x3; pDst->reserved = tmp22__ >> 7 & 0x1ff; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_interval, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_service_dur, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->spec_interval, pBuf, 0); (void)pCtx; return status; @@ -2287,6 +2877,11 @@ uint32_t dot11f_unpack_ie_wmmtclas(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2294,68 +2889,163 @@ uint32_t dot11f_unpack_ie_wmmtclas(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->user_priority = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->classifier_mask = *pBuf; pBuf += 1; ielen -= (uint8_t)1; switch (pDst->classifier_type) { case 0: + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.source, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.EthParams.dest, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.EthParams.type, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; switch (pDst->info.IpParams.version) { case 4: + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.source, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV4Params.dest, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.src_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV4Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.DSCP = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.proto = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->info.IpParams.params.IpV4Params.reserved = *pBuf; pBuf += 1; ielen -= (uint8_t)1; break; case 6: + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.source, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.dest, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.src_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.IpParams.params.IpV6Params.dest_port, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->info.IpParams.params.IpV6Params.flow_label, pBuf, 3); pBuf += 3; ielen -= (uint8_t)3; @@ -2363,6 +3053,11 @@ uint32_t dot11f_unpack_ie_wmmtclas(tpAniSirGlobal pCtx, } break; case 2: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->info.Params8021dq.tag_type, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -2386,6 +3081,11 @@ uint32_t dot11f_unpack_ie_wmmtclasproc(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2393,6 +3093,11 @@ uint32_t dot11f_unpack_ie_wmmtclasproc(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->processing = *pBuf; (void)pCtx; return status; @@ -2412,6 +3117,11 @@ uint32_t dot11f_unpack_ie_wmmts_delay(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2419,6 +3129,11 @@ uint32_t dot11f_unpack_ie_wmmts_delay(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay, pBuf, 0); (void)pCtx; return status; @@ -2441,6 +3156,11 @@ uint32_t dot11f_unpack_ie_wmmtspec(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2448,6 +3168,11 @@ uint32_t dot11f_unpack_ie_wmmtspec(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp23__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -2459,55 +3184,135 @@ uint32_t dot11f_unpack_ie_wmmtspec(tpAniSirGlobal pCtx, pDst->psb = tmp23__ >> 10 & 0x1; pDst->user_priority = tmp23__ >> 11 & 0x7; pDst->tsinfo_ack_pol = tmp23__ >> 14 & 0x3; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp24__ = *pBuf; pBuf += 1; ielen -= 1; pDst->tsinfo_rsvd = tmp24__ >> 0 & 0x7f; pDst->burst_size_defn = tmp24__ >> 7 & 0x1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp25__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->size = tmp25__ >> 0 & 0x7fff; pDst->fixed = tmp25__ >> 15 & 0x1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_msdu_size, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_service_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->max_service_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->inactivity_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->suspension_int, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->service_start_time, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->mean_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->peak_data_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->burst_size, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->delay_bound, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->min_phy_rate, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->surplus_bw_allowance, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->medium_time, pBuf, 0); (void)pCtx; return status; @@ -2527,12 +3332,27 @@ uint32_t dot11f_unpack_ie_wider_bw_chan_switch_ann(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newChanWidth = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newCenterChanFreq0 = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newCenterChanFreq1 = *pBuf; (void)pCtx; return status; @@ -2552,6 +3372,11 @@ uint32_t dot11f_unpack_ie_azimuth_req(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->request = *pBuf; (void)pCtx; return status; @@ -2571,6 +3396,11 @@ uint32_t dot11f_unpack_ie_max_age(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->max_age, pBuf, 0); (void)pCtx; return status; @@ -2619,9 +3449,19 @@ uint32_t dot11f_unpack_ie_neighbor_rpt(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->bssid, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp26__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2632,6 +3472,11 @@ uint32_t dot11f_unpack_ie_neighbor_rpt(tpAniSirGlobal pCtx, pDst->QosCap = tmp26__ >> 5 & 0x1; pDst->apsd = tmp26__ >> 6 & 0x1; pDst->rrm = tmp26__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp27__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2639,15 +3484,35 @@ uint32_t dot11f_unpack_ie_neighbor_rpt(tpAniSirGlobal pCtx, pDst->ImmBA = tmp27__ >> 1 & 0x1; pDst->MobilityDomain = tmp27__ >> 2 & 0x1; pDst->reserved = tmp27__ >> 3 & 0x1f; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->reserved1, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->PhyType = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -2677,6 +3542,11 @@ uint32_t dot11f_unpack_ie_req_mac_addr(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->addr, pBuf, 6); (void)pCtx; return status; @@ -2696,6 +3566,11 @@ uint32_t dot11f_unpack_ie_tgt_mac_addr(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->addr, pBuf, 6); (void)pCtx; return status; @@ -2740,6 +3615,11 @@ uint32_t dot11f_unpack_ie_aid(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->assocId, pBuf, 0); (void)pCtx; return status; @@ -2759,15 +3639,35 @@ uint32_t dot11f_unpack_ie_cf_params(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->cfp_count = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->cfp_period = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->cfp_maxduration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->cfp_durremaining, pBuf, 0); (void)pCtx; return status; @@ -2812,12 +3712,27 @@ uint32_t dot11f_unpack_ie_chan_switch_ann(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switchMode = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->newChannel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switchCount = *pBuf; (void)pCtx; return status; @@ -2879,6 +3794,11 @@ uint32_t dot11f_unpack_ie_country(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 3)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->country, pBuf, 3); pBuf += 3; ielen -= (uint8_t)3; @@ -2923,12 +3843,27 @@ uint32_t dot11f_unpack_ie_edca_param_set(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->qos = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reserved = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp28__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2936,14 +3871,29 @@ uint32_t dot11f_unpack_ie_edca_param_set(tpAniSirGlobal pCtx, pDst->acbe_acm = tmp28__ >> 4 & 0x1; pDst->acbe_aci = tmp28__ >> 5 & 0x3; pDst->unused1 = tmp28__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp29__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbe_acwmin = tmp29__ >> 0 & 0xf; pDst->acbe_acwmax = tmp29__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbe_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp30__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2951,14 +3901,29 @@ uint32_t dot11f_unpack_ie_edca_param_set(tpAniSirGlobal pCtx, pDst->acbk_acm = tmp30__ >> 4 & 0x1; pDst->acbk_aci = tmp30__ >> 5 & 0x3; pDst->unused2 = tmp30__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp31__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbk_acwmin = tmp31__ >> 0 & 0xf; pDst->acbk_acwmax = tmp31__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbk_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp32__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2966,14 +3931,29 @@ uint32_t dot11f_unpack_ie_edca_param_set(tpAniSirGlobal pCtx, pDst->acvi_acm = tmp32__ >> 4 & 0x1; pDst->acvi_aci = tmp32__ >> 5 & 0x3; pDst->unused3 = tmp32__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp33__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvi_acwmin = tmp33__ >> 0 & 0xf; pDst->acvi_acwmax = tmp33__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvi_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp34__ = *pBuf; pBuf += 1; ielen -= 1; @@ -2981,11 +3961,21 @@ uint32_t dot11f_unpack_ie_edca_param_set(tpAniSirGlobal pCtx, pDst->acvo_acm = tmp34__ >> 4 & 0x1; pDst->acvo_aci = tmp34__ >> 5 & 0x3; pDst->unused4 = tmp34__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp35__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvo_acwmin = tmp35__ >> 0 & 0xf; pDst->acvo_acwmax = tmp35__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvo_txoplimit, pBuf, 0); (void)pCtx; return status; @@ -3006,6 +3996,11 @@ uint32_t dot11f_unpack_ie_erp_info(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp36__ = *pBuf; pDst->non_erp_present = tmp36__ >> 0 & 0x1; pDst->use_prot = tmp36__ >> 1 & 0x1; @@ -3055,9 +4050,19 @@ uint32_t dot11f_unpack_ie_ese_rad_mgmt_cap(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->mgmt_state = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp37__ = *pBuf; pDst->mbssid_mask = tmp37__ >> 0 & 0x7; pDst->reserved = tmp37__ >> 3 & 0x1f; @@ -3079,12 +4084,27 @@ uint32_t dot11f_unpack_ie_ese_traf_strm_met(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tsid = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->state = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->msmt_interval, pBuf, 0); (void)pCtx; return status; @@ -3104,6 +4124,11 @@ uint32_t dot11f_unpack_ie_ese_traf_strm_rate_set(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tsid = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -3132,9 +4157,19 @@ uint32_t dot11f_unpack_ie_ese_txmit_power(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->power_limit = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reserved = *pBuf; (void)pCtx; return status; @@ -3154,6 +4189,11 @@ uint32_t dot11f_unpack_ie_ese_version(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; (void)pCtx; return status; @@ -3261,15 +4301,35 @@ uint32_t dot11f_unpack_ie_fh_param_set(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->dwell_time, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->hop_set = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->hop_pattern = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->hop_index = *pBuf; (void)pCtx; return status; @@ -3289,9 +4349,19 @@ uint32_t dot11f_unpack_ie_fh_params(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->radix = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->nchannels = *pBuf; (void)pCtx; return status; @@ -3311,15 +4381,35 @@ uint32_t dot11f_unpack_ie_fh_patt_table(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->flag = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->nsets = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->modulus = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->offset = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -3368,17 +4458,37 @@ uint32_t dot11f_unpack_ie_ft_info(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp38__, pBuf, 0); pBuf += 2; ielen -= 2; pDst->reserved = tmp38__ >> 0 & 0xff; pDst->IECount = tmp38__ >> 8 & 0xff; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->MIC, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 32)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->Anonce, pBuf, 32); pBuf += 32; ielen -= (uint8_t)32; + if (unlikely(ielen < 32)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->Snonce, pBuf, 32); pBuf += 32; ielen -= (uint8_t)32; @@ -3413,6 +4523,11 @@ uint32_t dot11f_unpack_ie_ht_caps(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp39__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3430,15 +4545,30 @@ uint32_t dot11f_unpack_ie_ht_caps(tpAniSirGlobal pCtx, pDst->psmp = tmp39__ >> 13 & 0x1; pDst->stbcControlFrame = tmp39__ >> 14 & 0x1; pDst->lsigTXOPProtection = tmp39__ >> 15 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp40__ = *pBuf; pBuf += 1; ielen -= 1; pDst->maxRxAMPDUFactor = tmp40__ >> 0 & 0x3; pDst->mpduDensity = tmp40__ >> 2 & 0x7; pDst->reserved1 = tmp40__ >> 5 & 0x7; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->supportedMCSSet, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp41__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3447,6 +4577,11 @@ uint32_t dot11f_unpack_ie_ht_caps(tpAniSirGlobal pCtx, pDst->reserved2 = tmp41__ >> 3 & 0x1f; pDst->mcsFeedback = tmp41__ >> 8 & 0x3; pDst->reserved3 = tmp41__ >> 10 & 0x3f; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &tmp42__, pBuf, 0); pBuf += 4; ielen -= 4; @@ -3466,6 +4601,11 @@ uint32_t dot11f_unpack_ie_ht_caps(tpAniSirGlobal pCtx, pDst->uncompressedSteeringMatrixBFAntennae = tmp42__ >> 21 & 0x3; pDst->compressedSteeringMatrixBFAntennae = tmp42__ >> 23 & 0x3; pDst->reserved4 = tmp42__ >> 25 & 0x7f; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp43__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3505,9 +4645,19 @@ uint32_t dot11f_unpack_ie_ht_info(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->primaryChannel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp44__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3516,6 +4666,11 @@ uint32_t dot11f_unpack_ie_ht_info(tpAniSirGlobal pCtx, pDst->rifsMode = tmp44__ >> 3 & 0x1; pDst->controlledAccessOnly = tmp44__ >> 4 & 0x1; pDst->serviceIntervalGranularity = tmp44__ >> 5 & 0x7; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp45__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3524,6 +4679,11 @@ uint32_t dot11f_unpack_ie_ht_info(tpAniSirGlobal pCtx, pDst->transmitBurstLimit = tmp45__ >> 3 & 0x1; pDst->obssNonHTStaPresent = tmp45__ >> 4 & 0x1; pDst->reserved = tmp45__ >> 5 & 0x7ff; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp46__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -3534,6 +4694,11 @@ uint32_t dot11f_unpack_ie_ht_info(tpAniSirGlobal pCtx, pDst->pcoActive = tmp46__ >> 10 & 0x1; pDst->pcoPhase = tmp46__ >> 11 & 0x1; pDst->reserved2 = tmp46__ >> 12 & 0xf; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->basicMCSSet, pBuf, 16); pBuf += 16; ielen -= (uint8_t)16; @@ -3562,6 +4727,11 @@ uint32_t dot11f_unpack_ie_ibss_params(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->atim, pBuf, 0); (void)pCtx; return status; @@ -3581,12 +4751,27 @@ uint32_t dot11f_unpack_ie_link_identifier(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->bssid, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->InitStaAddr, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->RespStaAddr, pBuf, 6); (void)pCtx; return status; @@ -3685,9 +4870,19 @@ uint32_t dot11f_unpack_ie_measurement_report(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->token = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp47__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3695,6 +4890,11 @@ uint32_t dot11f_unpack_ie_measurement_report(tpAniSirGlobal pCtx, pDst->incapable = tmp47__ >> 1 & 0x1; pDst->refused = tmp47__ >> 2 & 0x1; pDst->unused = tmp47__ >> 3 & 0x1f; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -3703,15 +4903,35 @@ uint32_t dot11f_unpack_ie_measurement_report(tpAniSirGlobal pCtx, } else { switch (pDst->type) { case 0: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Basic.channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.Basic.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.Basic.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp48__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3723,84 +4943,209 @@ uint32_t dot11f_unpack_ie_measurement_report(tpAniSirGlobal pCtx, pDst->report.Basic.unused = tmp48__ >> 5 & 0x7; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.CCA.channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.CCA.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.CCA.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.CCA.cca_busy_fraction = *pBuf; pBuf += 1; ielen -= (uint8_t)1; break; case 2: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.RPIHistogram.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.RPIHistogram.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi0_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi1_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi2_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi3_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi4_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi5_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi6_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.RPIHistogram.rpi7_density = *pBuf; pBuf += 1; ielen -= (uint8_t)1; break; case 5: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.regClass = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohq(pCtx, &pDst->report.Beacon.meas_start_time, pBuf, 0); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->report.Beacon.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp49__ = *pBuf; pBuf += 1; ielen -= 1; pDst->report.Beacon.condensed_PHY = tmp49__ >> 0 & 0x7f; pDst->report.Beacon.reported_frame_type = tmp49__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.RCPI = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.RSNI = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->report.Beacon.BSSID, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->report.Beacon.antenna_id = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->report.Beacon.parent_TSF, pBuf, 0); pBuf += 4; ielen -= (uint8_t)4; @@ -3903,9 +5248,19 @@ uint32_t dot11f_unpack_ie_measurement_request(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_token = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp50__ = *pBuf; pBuf += 1; ielen -= 1; @@ -3915,59 +5270,139 @@ uint32_t dot11f_unpack_ie_measurement_request(tpAniSirGlobal pCtx, pDst->report = tmp50__ >> 3 & 0x1; pDst->durationMandatory = tmp50__ >> 4 & 0x1; pDst->unused = tmp50__ >> 5 & 0x7; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; switch (pDst->measurement_type) { case 0: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Basic.channel_no = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.Basic.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.Basic.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 1: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.CCA.channel_no = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.CCA.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.CCA.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 2: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.RPIHistogram.channel_no = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.RPIHistogram.meas_start_time, pBuf, 8); pBuf += 8; ielen -= (uint8_t)8; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.RPIHistogram.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 5: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Beacon.regClass = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Beacon.channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.Beacon.randomization, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.Beacon.meas_duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.Beacon.meas_mode = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->measurement_request.Beacon.BSSID, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; @@ -3980,6 +5415,11 @@ uint32_t dot11f_unpack_ie_measurement_request(tpAniSirGlobal pCtx, sizeof(*pDst), append_ie); break; case 8: + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.lci.loc_subject = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -3992,9 +5432,19 @@ uint32_t dot11f_unpack_ie_measurement_request(tpAniSirGlobal pCtx, sizeof(*pDst), append_ie); break; case 16: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->measurement_request.ftmrr.random_interval, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->measurement_request.ftmrr.min_ap_count = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -4026,9 +5476,19 @@ uint32_t dot11f_unpack_ie_mobility_domain(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->MDID, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp51__ = *pBuf; pDst->overDSCap = tmp51__ >> 0 & 0x1; pDst->resourceReqCap = tmp51__ >> 1 & 0x1; @@ -4080,9 +5540,19 @@ uint32_t dot11f_unpack_ie_neighbor_report(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->bssid, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp52__ = *pBuf; pBuf += 1; ielen -= 1; @@ -4093,6 +5563,11 @@ uint32_t dot11f_unpack_ie_neighbor_report(tpAniSirGlobal pCtx, pDst->QosCap = tmp52__ >> 5 & 0x1; pDst->apsd = tmp52__ >> 6 & 0x1; pDst->rrm = tmp52__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp53__ = *pBuf; pBuf += 1; ielen -= 1; @@ -4100,15 +5575,35 @@ uint32_t dot11f_unpack_ie_neighbor_report(tpAniSirGlobal pCtx, pDst->ImmBA = tmp53__ >> 1 & 0x1; pDst->MobilityDomain = tmp53__ >> 2 & 0x1; pDst->reserved = tmp53__ >> 3 & 0x1f; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->reserved1, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->regulatoryClass = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->PhyType = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -4138,24 +5633,59 @@ uint32_t dot11f_unpack_ie_obss_scan_parameters(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanPassiveDwell, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanActiveDwell, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->bssChannelWidthTriggerScanInterval, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanPassiveTotalPerChannel, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanActiveTotalPerChannel, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->bssWidthChannelTransitionDelayFactor, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->obssScanActivityThreshold, pBuf, 0); (void)pCtx; return status; @@ -4176,6 +5706,11 @@ uint32_t dot11f_unpack_ie_operating_mode(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp54__ = *pBuf; pDst->chanWidth = tmp54__ >> 0 & 0x3; pDst->reserved = tmp54__ >> 2 & 0x3; @@ -4489,9 +6024,19 @@ uint32_t dot11f_unpack_ie_pti_control(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tid = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->sequence_control, pBuf, 0); (void)pCtx; return status; @@ -4512,6 +6057,11 @@ uint32_t dot11f_unpack_ie_pu_buffer_status(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp55__ = *pBuf; pDst->ac_bk_traffic_aval = tmp55__ >> 0 & 0x1; pDst->ac_be_traffic_aval = tmp55__ >> 1 & 0x1; @@ -4536,9 +6086,19 @@ uint32_t dot11f_unpack_ie_power_caps(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->minTxPower = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->maxTxPower = *pBuf; (void)pCtx; return status; @@ -4558,6 +6118,11 @@ uint32_t dot11f_unpack_ie_power_constraints(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->localPowerConstraints = *pBuf; (void)pCtx; return status; @@ -4577,12 +6142,27 @@ uint32_t dot11f_unpack_ie_qbss_load(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->stacount, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->chautil = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->avail, pBuf, 0); (void)pCtx; return status; @@ -4602,6 +6182,11 @@ uint32_t dot11f_unpack_ie_QCN_IE(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->version, pBuf, 4); (void)pCtx; return status; @@ -4621,9 +6206,19 @@ uint32_t dot11f_unpack_ie_QComVendorIE(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->channel = *pBuf; (void)pCtx; return status; @@ -4644,6 +6239,11 @@ uint32_t dot11f_unpack_ie_qos_caps_ap(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp56__ = *pBuf; pDst->count = tmp56__ >> 0 & 0xf; pDst->qack = tmp56__ >> 4 & 0x1; @@ -4669,6 +6269,11 @@ uint32_t dot11f_unpack_ie_qos_caps_station(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp57__ = *pBuf; pDst->acvo_uapsd = tmp57__ >> 0 & 0x1; pDst->acvi_uapsd = tmp57__ >> 1 & 0x1; @@ -4720,15 +6325,35 @@ uint32_t dot11f_unpack_ie_quiet(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->count = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->period = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->duration, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->offset, pBuf, 0); (void)pCtx; return status; @@ -4748,6 +6373,11 @@ uint32_t dot11f_unpack_ie_rcpiie(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->rcpi = *pBuf; (void)pCtx; return status; @@ -4841,10 +6471,16 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, uint32_t status = DOT11F_PARSE_SUCCESS; uint8_t def_cipher_suite[4] = {0x00, 0x0f, 0xac, 0x04}; uint8_t def_akm_suite[4] = {0x00, 0x0f, 0xac, 0x01}; + (void) pBuf; (void)ielen; /* Shutup the compiler */ if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -4866,9 +6502,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, return 0U; } else { pDst->gp_cipher_suite_present = 1; - if (ielen < 4) { + if (unlikely(ielen < 4)) { pDst->present = 0; - return DOT11F_SKIPPED_BAD_IE; + return DOT11F_INCOMPLETE_IE; } DOT11F_MEMCPY(pCtx, pDst->gp_cipher_suite, pBuf, 4); @@ -4886,22 +6522,22 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, pDst->pmkid_count = 0U; return 0U; } else { - if (ielen < 2) { + if (unlikely(ielen < 2)) { pDst->present = 0; - return DOT11F_SKIPPED_BAD_IE; + return DOT11F_INCOMPLETE_IE; } framesntohs(pCtx, &pDst->pwise_cipher_suite_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; } - if (!pDst->pwise_cipher_suite_count || - pDst->pwise_cipher_suite_count > 6) { + if (unlikely(ielen < pDst->pwise_cipher_suite_count * 4)) { pDst->present = 0; - return DOT11F_SKIPPED_BAD_IE; + return DOT11F_INCOMPLETE_IE; } - if (ielen < pDst->pwise_cipher_suite_count * 4) { + if (!pDst->pwise_cipher_suite_count || + pDst->pwise_cipher_suite_count > 6) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; } @@ -4917,22 +6553,22 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, pDst->pmkid_count = 0U; return 0U; } else { - if (ielen < 2) { + if (unlikely(ielen < 2)) { pDst->present = 0; - return DOT11F_SKIPPED_BAD_IE; + return DOT11F_INCOMPLETE_IE; } framesntohs(pCtx, &pDst->akm_suite_cnt, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; } - if (!pDst->akm_suite_cnt || - pDst->akm_suite_cnt > 6) { + if (unlikely(ielen < pDst->akm_suite_cnt * 4)) { pDst->present = 0; - return DOT11F_SKIPPED_BAD_IE; + return DOT11F_INCOMPLETE_IE; } - if (ielen < pDst->akm_suite_cnt * 4) { + if (!pDst->akm_suite_cnt || + pDst->akm_suite_cnt > 6) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; } @@ -4947,9 +6583,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, return 0U; } else { pDst->RSN_Cap_present = 1; - if (ielen < 2) { + if (unlikely(ielen < 2)) { pDst->present = 0; - return DOT11F_SKIPPED_BAD_IE; + return DOT11F_INCOMPLETE_IE; } DOT11F_MEMCPY(pCtx, pDst->RSN_Cap, pBuf, 2); @@ -4962,21 +6598,21 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, pDst->pmkid_count = 0U; return 0U; } else { - if (ielen < 2) { + if (unlikely(ielen < 2)) { pDst->present = 0; - return DOT11F_SKIPPED_BAD_IE; + return DOT11F_INCOMPLETE_IE; } framesntohs(pCtx, &pDst->pmkid_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; } - if (pDst->pmkid_count > 4) { + if (unlikely(ielen < pDst->pmkid_count * 16)) { pDst->present = 0; - return DOT11F_SKIPPED_BAD_IE; + return DOT11F_INCOMPLETE_IE; } - if (ielen < pDst->pmkid_count * 16) { + if (pDst->pmkid_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; } @@ -4988,9 +6624,9 @@ uint32_t dot11f_unpack_ie_rsn(tpAniSirGlobal pCtx, return 0U; } else { pDst->gp_mgmt_cipher_suite_present = 1; - if (ielen < 4) { + if (unlikely(ielen < 4)) { pDst->present = 0; - return DOT11F_SKIPPED_BAD_IE; + return DOT11F_INCOMPLETE_IE; } DOT11F_MEMCPY(pCtx, pDst->gp_mgmt_cipher_suite, pBuf, 4); @@ -5013,6 +6649,11 @@ uint32_t dot11f_unpack_ie_rsniie(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->rsni = *pBuf; (void)pCtx; return status; @@ -5140,12 +6781,27 @@ uint32_t dot11f_unpack_ie_tim(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->dtim_count = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->dtim_period = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->bmpctl = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -5174,9 +6830,19 @@ uint32_t dot11f_unpack_ie_tpc_report(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->tx_power = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->link_margin = *pBuf; (void)pCtx; return status; @@ -5214,12 +6880,27 @@ uint32_t dot11f_unpack_ie_time_advertisement(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->timing_capabilities = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 10)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->time_value, pBuf, 10); pBuf += 10; ielen -= (uint8_t)10; + if (unlikely(ielen < 5)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->time_error, pBuf, 5); (void)pCtx; return status; @@ -5239,9 +6920,19 @@ uint32_t dot11f_unpack_ie_timeout_interval(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->timeoutType = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohl(pCtx, &pDst->timeoutValue, pBuf, 0); (void)pCtx; return status; @@ -5261,18 +6952,43 @@ uint32_t dot11f_unpack_ie_vht_ext_bss_load(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->muMIMOCapStaCount = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->ssUnderUtil = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->FortyMHzUtil = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->EightyMHzUtil = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->OneSixtyMHzUtil = *pBuf; (void)pCtx; return status; @@ -5329,6 +7045,11 @@ uint32_t dot11f_unpack_ie_wapi(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -5336,9 +7057,19 @@ uint32_t dot11f_unpack_ie_wapi(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->akm_suite_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < pDst->akm_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->akm_suite_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5347,9 +7078,19 @@ uint32_t dot11f_unpack_ie_wapi(tpAniSirGlobal pCtx, DOT11F_MEMCPY(pCtx, pDst->akm_suites, pBuf, (pDst->akm_suite_count * 4)); pBuf += (pDst->akm_suite_count * 4); ielen -= (pDst->akm_suite_count * 4); + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->unicast_cipher_suite_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < pDst->unicast_cipher_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->unicast_cipher_suite_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5358,9 +7099,19 @@ uint32_t dot11f_unpack_ie_wapi(tpAniSirGlobal pCtx, DOT11F_MEMCPY(pCtx, pDst->unicast_cipher_suites, pBuf, (pDst->unicast_cipher_suite_count * 4)); pBuf += (pDst->unicast_cipher_suite_count * 4); ielen -= (pDst->unicast_cipher_suite_count * 4); + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->multicast_cipher_suite, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp58__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -5370,10 +7121,20 @@ uint32_t dot11f_unpack_ie_wapi(tpAniSirGlobal pCtx, pDst->bkid_count = 0U; return 0U; } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->bkid_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; } + if (unlikely(ielen < pDst->bkid_count * 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->bkid_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5423,9 +7184,19 @@ uint32_t dot11f_unpack_ie_wfatpc(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->txPower = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->linkMargin = *pBuf; (void)pCtx; return status; @@ -5471,6 +7242,11 @@ uint32_t dot11f_unpack_ie_wmm_caps(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -5478,6 +7254,11 @@ uint32_t dot11f_unpack_ie_wmm_caps(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp59__ = *pBuf; pDst->reserved = tmp59__ >> 0 & 0xf; pDst->qack = tmp59__ >> 4 & 0x1; @@ -5503,9 +7284,19 @@ uint32_t dot11f_unpack_ie_wmm_info_ap(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp60__ = *pBuf; pDst->param_set_count = tmp60__ >> 0 & 0xf; pDst->reserved = tmp60__ >> 4 & 0x7; @@ -5529,9 +7320,19 @@ uint32_t dot11f_unpack_ie_wmm_info_station(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp61__ = *pBuf; pDst->acvo_uapsd = tmp61__ >> 0 & 0x1; pDst->acvi_uapsd = tmp61__ >> 1 & 0x1; @@ -5566,6 +7367,11 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->version = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -5573,12 +7379,27 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, pDst->present = 0; return status | DOT11F_BAD_FIXED_VALUE; } + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->qosInfo = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->reserved2 = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp62__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5586,14 +7407,29 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, pDst->acbe_acm = tmp62__ >> 4 & 0x1; pDst->acbe_aci = tmp62__ >> 5 & 0x3; pDst->unused1 = tmp62__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp63__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbe_acwmin = tmp63__ >> 0 & 0xf; pDst->acbe_acwmax = tmp63__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbe_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp64__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5601,14 +7437,29 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, pDst->acbk_acm = tmp64__ >> 4 & 0x1; pDst->acbk_aci = tmp64__ >> 5 & 0x3; pDst->unused2 = tmp64__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp65__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acbk_acwmin = tmp65__ >> 0 & 0xf; pDst->acbk_acwmax = tmp65__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acbk_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp66__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5616,14 +7467,29 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, pDst->acvi_acm = tmp66__ >> 4 & 0x1; pDst->acvi_aci = tmp66__ >> 5 & 0x3; pDst->unused3 = tmp66__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp67__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvi_acwmin = tmp67__ >> 0 & 0xf; pDst->acvi_acwmax = tmp67__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvi_txoplimit, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp68__ = *pBuf; pBuf += 1; ielen -= 1; @@ -5631,11 +7497,21 @@ uint32_t dot11f_unpack_ie_wmm_params(tpAniSirGlobal pCtx, pDst->acvo_acm = tmp68__ >> 4 & 0x1; pDst->acvo_aci = tmp68__ >> 5 & 0x3; pDst->unused4 = tmp68__ >> 7 & 0x1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp69__ = *pBuf; pBuf += 1; ielen -= 1; pDst->acvo_acwmin = tmp69__ >> 0 & 0xf; pDst->acvo_acwmax = tmp69__ >> 4 & 0xf; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->acvo_txoplimit, pBuf, 0); (void)pCtx; return status; @@ -5655,6 +7531,11 @@ uint32_t dot11f_unpack_ie_wpa(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->version, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -5669,6 +7550,11 @@ uint32_t dot11f_unpack_ie_wpa(tpAniSirGlobal pCtx, return 0U; } else { pDst->multicast_cipher_present = 1U; + if (unlikely(ielen < 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->multicast_cipher, pBuf, 4); pBuf += 4; ielen -= (uint8_t)4; @@ -5678,10 +7564,20 @@ uint32_t dot11f_unpack_ie_wpa(tpAniSirGlobal pCtx, pDst->auth_suite_count = 0U; return 0U; } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->unicast_cipher_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; } + if (unlikely(ielen < pDst->unicast_cipher_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->unicast_cipher_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5694,10 +7590,20 @@ uint32_t dot11f_unpack_ie_wpa(tpAniSirGlobal pCtx, pDst->auth_suite_count = 0U; return 0U; } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->auth_suite_count, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; } + if (unlikely(ielen < pDst->auth_suite_count * 4)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + if (pDst->auth_suite_count > 4) { pDst->present = 0; return DOT11F_SKIPPED_BAD_IE; @@ -5709,6 +7615,11 @@ uint32_t dot11f_unpack_ie_wpa(tpAniSirGlobal pCtx, if (!ielen) { return 0U; } else { + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->caps, pBuf, 0); } (void)pCtx; @@ -6248,15 +8159,35 @@ uint32_t dot11f_unpack_ie_ext_chan_switch_ann(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switch_mode = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->new_reg_class = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->new_channel = *pBuf; pBuf += 1; ielen -= (uint8_t)1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->switch_count = *pBuf; (void)pCtx; return status; @@ -6276,6 +8207,11 @@ uint32_t dot11f_unpack_ie_fils_assoc_delay_info(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->assoc_delay_info = *pBuf; (void)pCtx; return status; @@ -6295,9 +8231,19 @@ uint32_t dot11f_unpack_ie_fils_hlp_container(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->dest_mac, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; + if (unlikely(ielen < 6)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->src_mac, pBuf, 6); pBuf += 6; ielen -= (uint8_t)6; @@ -6322,6 +8268,11 @@ uint32_t dot11f_unpack_ie_fils_indication(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &tmp70__, pBuf, 0); pBuf += 2; ielen -= 2; @@ -6354,6 +8305,11 @@ uint32_t dot11f_unpack_ie_fils_kde(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->key_rsc, pBuf, 8); pBuf += 8; ielen -= (uint8_t)8; @@ -6397,6 +8353,11 @@ uint32_t dot11f_unpack_ie_fils_nonce(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 16)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->nonce, pBuf, 16); (void)pCtx; return status; @@ -6416,6 +8377,11 @@ uint32_t dot11f_unpack_ie_fils_public_key(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->key_type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -6439,6 +8405,11 @@ uint32_t dot11f_unpack_ie_fils_session(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 8)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + DOT11F_MEMCPY(pCtx, pDst->session, pBuf, 8); (void)pCtx; return status; @@ -6499,6 +8470,11 @@ uint32_t dot11f_unpack_ie_hs20vendor_ie(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp71__ = *pBuf; pBuf += 1; ielen -= 1; @@ -6511,11 +8487,21 @@ uint32_t dot11f_unpack_ie_hs20vendor_ie(tpAniSirGlobal pCtx, } else { switch (pDst->hs_id_present) { case 1: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->hs_id.pps_mo.pps_mo_id, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; break; case 2: + if (unlikely(ielen < 2)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + framesntohs(pCtx, &pDst->hs_id.anqp_domain.anqp_domain_id, pBuf, 0); pBuf += 2; ielen -= (uint8_t)2; @@ -6541,6 +8527,11 @@ uint32_t dot11f_unpack_ie_ht2040_bss_coexistence(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + tmp72__ = *pBuf; pDst->info_request = tmp72__ >> 0 & 0x1; pDst->forty_mhz_intolerant = tmp72__ >> 1 & 0x1; @@ -6566,6 +8557,11 @@ uint32_t dot11f_unpack_ie_ht2040_bss_intolerant_report(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->operating_class = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -6614,6 +8610,11 @@ uint32_t dot11f_unpack_ie_sec_chan_offset_ele(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->secondaryChannelOffset = *pBuf; (void)pCtx; return status; @@ -6648,6 +8649,11 @@ uint32_t dot11f_unpack_ie_vendor_vht_ie(tpAniSirGlobal pCtx, if (pDst->present) status = DOT11F_DUPLICATE_IE; pDst->present = 1; + if (unlikely(ielen < 1)) { + pDst->present = 0; + return DOT11F_INCOMPLETE_IE; + } + pDst->sub_type = *pBuf; pBuf += 1; ielen -= (uint8_t)1; @@ -15017,6 +17023,9 @@ uint32_t dot11f_pack_tlv_version2(tpAniSirGlobal pCtx, tmp78__ = 0U; tmp78__ |= (pSrc->minor << 0); tmp78__ |= (pSrc->major << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp78__; *pnConsumed += 1; pBuf += 1; @@ -15986,6 +17995,9 @@ uint32_t dot11f_pack_tlv_version(tpAniSirGlobal pCtx, tmp79__ = 0U; tmp79__ |= (pSrc->minor << 0); tmp79__ |= (pSrc->major << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp79__; *pnConsumed += 1; pBuf += 1; @@ -16229,6 +18241,9 @@ uint32_t dot11f_pack_tlv_oce_cap(tpAniSirGlobal pCtx, tmp80__ |= (pSrc->is_sta_cfon << 3); tmp80__ |= (pSrc->non_oce_ap_present << 4); tmp80__ |= (pSrc->reserved << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp80__; *pnConsumed += 1; pBuf += 1; @@ -16263,6 +18278,9 @@ uint32_t dot11f_pack_tlv_reduced_wan_metrics(tpAniSirGlobal pCtx, tmp81__ = 0U; tmp81__ |= (pSrc->downlink_av_cap << 0); tmp81__ |= (pSrc->uplink_av_cap << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp81__; *pnConsumed += 1; pBuf += 1; @@ -16445,6 +18463,9 @@ uint32_t dot11f_pack_ie_gtk(tpAniSirGlobal pCtx, tmp82__ = 0U; tmp82__ |= (pSrc->keyId << 0); tmp82__ |= (pSrc->reserved << 2); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp82__, 0); *pnConsumed += 2; pBuf += 2; @@ -16876,6 +18897,9 @@ uint32_t dot11f_pack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, tmp83__ |= (pSrc->BeaconActive << 5); tmp83__ |= (pSrc->BeaconTable << 6); tmp83__ |= (pSrc->BeaconRepCond << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp83__; *pnConsumed += 1; pBuf += 1; @@ -16889,6 +18913,9 @@ uint32_t dot11f_pack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, tmp84__ |= (pSrc->LCIAzimuth << 5); tmp84__ |= (pSrc->TCMCapability << 6); tmp84__ |= (pSrc->triggeredTCM << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp84__; *pnConsumed += 1; pBuf += 1; @@ -16898,6 +18925,9 @@ uint32_t dot11f_pack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, tmp85__ |= (pSrc->RRMMIBEnabled << 1); tmp85__ |= (pSrc->operatingChanMax << 2); tmp85__ |= (pSrc->nonOperatinChanMax << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp85__; *pnConsumed += 1; pBuf += 1; @@ -16909,6 +18939,9 @@ uint32_t dot11f_pack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, tmp86__ |= (pSrc->RCPIMeasurement << 5); tmp86__ |= (pSrc->RSNIMeasurement << 6); tmp86__ |= (pSrc->BssAvgAccessDelay << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp86__; *pnConsumed += 1; pBuf += 1; @@ -16919,6 +18952,9 @@ uint32_t dot11f_pack_ie_rrm_enabled_cap(tpAniSirGlobal pCtx, tmp87__ |= (pSrc->fine_time_meas_rpt << 2); tmp87__ |= (pSrc->lci_capability << 3); tmp87__ |= (pSrc->reserved << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp87__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -17013,6 +19049,9 @@ uint32_t dot11f_pack_ie_schedule(tpAniSirGlobal pCtx, tmp88__ |= (pSrc->tsid << 1); tmp88__ |= (pSrc->direction << 5); tmp88__ |= (pSrc->reserved << 7); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp88__, 0); *pnConsumed += 2; pBuf += 2; @@ -17260,6 +19299,9 @@ uint32_t dot11f_pack_ie_tspec(tpAniSirGlobal pCtx, tmp89__ |= (pSrc->psb << 10); tmp89__ |= (pSrc->user_priority << 11); tmp89__ |= (pSrc->tsinfo_ack_pol << 14); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp89__, 0); *pnConsumed += 2; pBuf += 2; @@ -17267,6 +19309,9 @@ uint32_t dot11f_pack_ie_tspec(tpAniSirGlobal pCtx, tmp90__ = 0U; tmp90__ |= (pSrc->schedule << 0); tmp90__ |= (pSrc->unused << 1); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp90__; *pnConsumed += 1; pBuf += 1; @@ -17274,6 +19319,9 @@ uint32_t dot11f_pack_ie_tspec(tpAniSirGlobal pCtx, tmp91__ = 0U; tmp91__ |= (pSrc->size << 0); tmp91__ |= (pSrc->fixed << 15); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp91__, 0); *pnConsumed += 2; pBuf += 2; @@ -17370,6 +19418,9 @@ uint32_t dot11f_pack_ie_vht_caps(tpAniSirGlobal pCtx, tmp92__ |= (pSrc->rxAntPattern << 28); tmp92__ |= (pSrc->txAntPattern << 29); tmp92__ |= (pSrc->reserved1 << 30); + if (unlikely(nBuf < 4)) + return DOT11F_INCOMPLETE_IE; + frameshtonl(pCtx, pBuf, tmp92__, 0); *pnConsumed += 4; pBuf += 4; @@ -17380,6 +19431,9 @@ uint32_t dot11f_pack_ie_vht_caps(tpAniSirGlobal pCtx, tmp93__ = 0U; tmp93__ |= (pSrc->rxHighSupDataRate << 0); tmp93__ |= (pSrc->reserved2 << 13); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp93__, 0); *pnConsumed += 2; pBuf += 2; @@ -17390,6 +19444,9 @@ uint32_t dot11f_pack_ie_vht_caps(tpAniSirGlobal pCtx, tmp94__ = 0U; tmp94__ |= (pSrc->txSupDataRate << 0); tmp94__ |= (pSrc->reserved3 << 13); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp94__, 0); *pnConsumed += 2; /* fieldsEndFlag = 1 */ @@ -17477,6 +19534,9 @@ uint32_t dot11f_pack_ie_wmm_schedule(tpAniSirGlobal pCtx, tmp95__ |= (pSrc->tsid << 1); tmp95__ |= (pSrc->direction << 5); tmp95__ |= (pSrc->reserved << 7); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp95__, 0); *pnConsumed += 2; pBuf += 2; @@ -17744,6 +19804,9 @@ uint32_t dot11f_pack_ie_wmmtspec(tpAniSirGlobal pCtx, tmp96__ |= (pSrc->psb << 10); tmp96__ |= (pSrc->user_priority << 11); tmp96__ |= (pSrc->tsinfo_ack_pol << 14); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp96__, 0); *pnConsumed += 2; pBuf += 2; @@ -17751,6 +19814,9 @@ uint32_t dot11f_pack_ie_wmmtspec(tpAniSirGlobal pCtx, tmp97__ = 0U; tmp97__ |= (pSrc->tsinfo_rsvd << 0); tmp97__ |= (pSrc->burst_size_defn << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp97__; *pnConsumed += 1; pBuf += 1; @@ -17758,6 +19824,9 @@ uint32_t dot11f_pack_ie_wmmtspec(tpAniSirGlobal pCtx, tmp98__ = 0U; tmp98__ |= (pSrc->size << 0); tmp98__ |= (pSrc->fixed << 15); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp98__, 0); *pnConsumed += 2; pBuf += 2; @@ -17939,6 +20008,9 @@ uint32_t dot11f_pack_ie_neighbor_rpt(tpAniSirGlobal pCtx, tmp99__ |= (pSrc->QosCap << 5); tmp99__ |= (pSrc->apsd << 6); tmp99__ |= (pSrc->rrm << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp99__; *pnConsumed += 1; pBuf += 1; @@ -17948,6 +20020,9 @@ uint32_t dot11f_pack_ie_neighbor_rpt(tpAniSirGlobal pCtx, tmp100__ |= (pSrc->ImmBA << 1); tmp100__ |= (pSrc->MobilityDomain << 2); tmp100__ |= (pSrc->reserved << 3); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp100__; *pnConsumed += 1; pBuf += 1; @@ -18338,6 +20413,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp101__ |= (pSrc->acbe_acm << 4); tmp101__ |= (pSrc->acbe_aci << 5); tmp101__ |= (pSrc->unused1 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp101__; *pnConsumed += 1; pBuf += 1; @@ -18345,6 +20423,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp102__ = 0U; tmp102__ |= (pSrc->acbe_acwmin << 0); tmp102__ |= (pSrc->acbe_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp102__; *pnConsumed += 1; pBuf += 1; @@ -18357,6 +20438,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp103__ |= (pSrc->acbk_acm << 4); tmp103__ |= (pSrc->acbk_aci << 5); tmp103__ |= (pSrc->unused2 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp103__; *pnConsumed += 1; pBuf += 1; @@ -18364,6 +20448,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp104__ = 0U; tmp104__ |= (pSrc->acbk_acwmin << 0); tmp104__ |= (pSrc->acbk_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp104__; *pnConsumed += 1; pBuf += 1; @@ -18376,6 +20463,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp105__ |= (pSrc->acvi_acm << 4); tmp105__ |= (pSrc->acvi_aci << 5); tmp105__ |= (pSrc->unused3 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp105__; *pnConsumed += 1; pBuf += 1; @@ -18383,6 +20473,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp106__ = 0U; tmp106__ |= (pSrc->acvi_acwmin << 0); tmp106__ |= (pSrc->acvi_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp106__; *pnConsumed += 1; pBuf += 1; @@ -18395,6 +20488,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp107__ |= (pSrc->acvo_acm << 4); tmp107__ |= (pSrc->acvo_aci << 5); tmp107__ |= (pSrc->unused4 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp107__; *pnConsumed += 1; pBuf += 1; @@ -18402,6 +20498,9 @@ uint32_t dot11f_pack_ie_edca_param_set(tpAniSirGlobal pCtx, tmp108__ = 0U; tmp108__ |= (pSrc->acvo_acwmin << 0); tmp108__ |= (pSrc->acvo_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp108__; *pnConsumed += 1; pBuf += 1; @@ -18441,6 +20540,9 @@ uint32_t dot11f_pack_ie_erp_info(tpAniSirGlobal pCtx, tmp109__ |= (pSrc->use_prot << 1); tmp109__ |= (pSrc->barker_preamble << 2); tmp109__ |= (pSrc->unused << 3); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp109__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -18523,6 +20625,9 @@ uint32_t dot11f_pack_ie_ese_rad_mgmt_cap(tpAniSirGlobal pCtx, tmp110__ = 0U; tmp110__ |= (pSrc->mbssid_mask << 0); tmp110__ |= (pSrc->reserved << 3); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp110__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -18920,6 +21025,9 @@ uint32_t dot11f_pack_ie_ft_info(tpAniSirGlobal pCtx, tmp111__ = 0U; tmp111__ |= (pSrc->reserved << 0); tmp111__ |= (pSrc->IECount << 8); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp111__, 0); *pnConsumed += 2; pBuf += 2; @@ -18986,6 +21094,9 @@ uint32_t dot11f_pack_ie_ht_caps(tpAniSirGlobal pCtx, tmp112__ |= (pSrc->psmp << 13); tmp112__ |= (pSrc->stbcControlFrame << 14); tmp112__ |= (pSrc->lsigTXOPProtection << 15); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp112__, 0); *pnConsumed += 2; pBuf += 2; @@ -18994,6 +21105,9 @@ uint32_t dot11f_pack_ie_ht_caps(tpAniSirGlobal pCtx, tmp113__ |= (pSrc->maxRxAMPDUFactor << 0); tmp113__ |= (pSrc->mpduDensity << 2); tmp113__ |= (pSrc->reserved1 << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp113__; *pnConsumed += 1; pBuf += 1; @@ -19007,6 +21121,9 @@ uint32_t dot11f_pack_ie_ht_caps(tpAniSirGlobal pCtx, tmp114__ |= (pSrc->reserved2 << 3); tmp114__ |= (pSrc->mcsFeedback << 8); tmp114__ |= (pSrc->reserved3 << 10); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp114__, 0); *pnConsumed += 2; pBuf += 2; @@ -19028,6 +21145,9 @@ uint32_t dot11f_pack_ie_ht_caps(tpAniSirGlobal pCtx, tmp115__ |= (pSrc->uncompressedSteeringMatrixBFAntennae << 21); tmp115__ |= (pSrc->compressedSteeringMatrixBFAntennae << 23); tmp115__ |= (pSrc->reserved4 << 25); + if (unlikely(nBuf < 4)) + return DOT11F_INCOMPLETE_IE; + frameshtonl(pCtx, pBuf, tmp115__, 0); *pnConsumed += 4; pBuf += 4; @@ -19041,6 +21161,9 @@ uint32_t dot11f_pack_ie_ht_caps(tpAniSirGlobal pCtx, tmp116__ |= (pSrc->rxAS << 5); tmp116__ |= (pSrc->txSoundingPPDUs << 6); tmp116__ |= (pSrc->reserved5 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp116__; *pnConsumed += 1; pBuf += 1; @@ -19086,6 +21209,9 @@ uint32_t dot11f_pack_ie_ht_info(tpAniSirGlobal pCtx, tmp117__ |= (pSrc->rifsMode << 3); tmp117__ |= (pSrc->controlledAccessOnly << 4); tmp117__ |= (pSrc->serviceIntervalGranularity << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp117__; *pnConsumed += 1; pBuf += 1; @@ -19096,6 +21222,9 @@ uint32_t dot11f_pack_ie_ht_info(tpAniSirGlobal pCtx, tmp118__ |= (pSrc->transmitBurstLimit << 3); tmp118__ |= (pSrc->obssNonHTStaPresent << 4); tmp118__ |= (pSrc->reserved << 5); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp118__, 0); *pnConsumed += 2; pBuf += 2; @@ -19108,6 +21237,9 @@ uint32_t dot11f_pack_ie_ht_info(tpAniSirGlobal pCtx, tmp119__ |= (pSrc->pcoActive << 10); tmp119__ |= (pSrc->pcoPhase << 11); tmp119__ |= (pSrc->reserved2 << 12); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp119__, 0); *pnConsumed += 2; pBuf += 2; @@ -19270,6 +21402,9 @@ uint32_t dot11f_pack_ie_measurement_report(tpAniSirGlobal pCtx, tmp120__ |= (pSrc->incapable << 1); tmp120__ |= (pSrc->refused << 2); tmp120__ |= (pSrc->unused << 3); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp120__; *pnConsumed += 1; pBuf += 1; @@ -19296,6 +21431,9 @@ uint32_t dot11f_pack_ie_measurement_report(tpAniSirGlobal pCtx, tmp121__ |= (pSrc->report.Basic.rader << 3); tmp121__ |= (pSrc->report.Basic.unmeasured << 4); tmp121__ |= (pSrc->report.Basic.unused << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp121__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -19366,6 +21504,9 @@ uint32_t dot11f_pack_ie_measurement_report(tpAniSirGlobal pCtx, tmp122__ = 0U; tmp122__ |= (pSrc->report.Beacon.condensed_PHY << 0); tmp122__ |= (pSrc->report.Beacon.reported_frame_type << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp122__; *pnConsumed += 1; pBuf += 1; @@ -19437,6 +21578,9 @@ uint32_t dot11f_pack_ie_measurement_request(tpAniSirGlobal pCtx, tmp123__ |= (pSrc->report << 3); tmp123__ |= (pSrc->durationMandatory << 4); tmp123__ |= (pSrc->unused << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp123__; *pnConsumed += 1; pBuf += 1; @@ -19567,6 +21711,9 @@ uint32_t dot11f_pack_ie_mobility_domain(tpAniSirGlobal pCtx, tmp124__ |= (pSrc->overDSCap << 0); tmp124__ |= (pSrc->resourceReqCap << 1); tmp124__ |= (pSrc->reserved << 2); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp124__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -19613,6 +21760,9 @@ uint32_t dot11f_pack_ie_neighbor_report(tpAniSirGlobal pCtx, tmp125__ |= (pSrc->QosCap << 5); tmp125__ |= (pSrc->apsd << 6); tmp125__ |= (pSrc->rrm << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp125__; *pnConsumed += 1; pBuf += 1; @@ -19622,6 +21772,9 @@ uint32_t dot11f_pack_ie_neighbor_report(tpAniSirGlobal pCtx, tmp126__ |= (pSrc->ImmBA << 1); tmp126__ |= (pSrc->MobilityDomain << 2); tmp126__ |= (pSrc->reserved << 3); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp126__; *pnConsumed += 1; pBuf += 1; @@ -19724,6 +21877,9 @@ uint32_t dot11f_pack_ie_operating_mode(tpAniSirGlobal pCtx, tmp127__ |= (pSrc->reserved << 2); tmp127__ |= (pSrc->rxNSS << 4); tmp127__ |= (pSrc->rxNSSType << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp127__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -20214,6 +22370,9 @@ uint32_t dot11f_pack_ie_pu_buffer_status(tpAniSirGlobal pCtx, tmp128__ |= (pSrc->ac_vi_traffic_aval << 2); tmp128__ |= (pSrc->ac_vo_traffic_aval << 3); tmp128__ |= (pSrc->reserved << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp128__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -20422,6 +22581,9 @@ uint32_t dot11f_pack_ie_qos_caps_ap(tpAniSirGlobal pCtx, tmp129__ |= (pSrc->qreq << 5); tmp129__ |= (pSrc->txopreq << 6); tmp129__ |= (pSrc->reserved << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp129__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -20461,6 +22623,9 @@ uint32_t dot11f_pack_ie_qos_caps_station(tpAniSirGlobal pCtx, tmp130__ |= (pSrc->qack << 4); tmp130__ |= (pSrc->max_sp_length << 5); tmp130__ |= (pSrc->more_data_ack << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp130__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -21135,6 +23300,9 @@ uint32_t dot11f_pack_ie_wapi(tpAniSirGlobal pCtx, tmp131__ = 0U; tmp131__ |= (pSrc->preauth << 0); tmp131__ |= (pSrc->reserved << 1); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp131__, 0); *pnConsumed += 2; pBuf += 2; @@ -21303,6 +23471,9 @@ uint32_t dot11f_pack_ie_wmm_caps(tpAniSirGlobal pCtx, tmp132__ |= (pSrc->queue_request << 5); tmp132__ |= (pSrc->txop_request << 6); tmp132__ |= (pSrc->more_ack << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp132__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -21351,6 +23522,9 @@ uint32_t dot11f_pack_ie_wmm_info_ap(tpAniSirGlobal pCtx, tmp133__ |= (pSrc->param_set_count << 0); tmp133__ |= (pSrc->reserved << 4); tmp133__ |= (pSrc->uapsd << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp133__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -21403,6 +23577,9 @@ uint32_t dot11f_pack_ie_wmm_info_station(tpAniSirGlobal pCtx, tmp134__ |= (pSrc->reserved1 << 4); tmp134__ |= (pSrc->max_sp_length << 5); tmp134__ |= (pSrc->reserved2 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp134__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ @@ -21465,6 +23642,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp135__ |= (pSrc->acbe_acm << 4); tmp135__ |= (pSrc->acbe_aci << 5); tmp135__ |= (pSrc->unused1 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp135__; *pnConsumed += 1; pBuf += 1; @@ -21472,6 +23652,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp136__ = 0U; tmp136__ |= (pSrc->acbe_acwmin << 0); tmp136__ |= (pSrc->acbe_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp136__; *pnConsumed += 1; pBuf += 1; @@ -21484,6 +23667,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp137__ |= (pSrc->acbk_acm << 4); tmp137__ |= (pSrc->acbk_aci << 5); tmp137__ |= (pSrc->unused2 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp137__; *pnConsumed += 1; pBuf += 1; @@ -21491,6 +23677,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp138__ = 0U; tmp138__ |= (pSrc->acbk_acwmin << 0); tmp138__ |= (pSrc->acbk_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp138__; *pnConsumed += 1; pBuf += 1; @@ -21503,6 +23692,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp139__ |= (pSrc->acvi_acm << 4); tmp139__ |= (pSrc->acvi_aci << 5); tmp139__ |= (pSrc->unused3 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp139__; *pnConsumed += 1; pBuf += 1; @@ -21510,6 +23702,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp140__ = 0U; tmp140__ |= (pSrc->acvi_acwmin << 0); tmp140__ |= (pSrc->acvi_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp140__; *pnConsumed += 1; pBuf += 1; @@ -21522,6 +23717,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp141__ |= (pSrc->acvo_acm << 4); tmp141__ |= (pSrc->acvo_aci << 5); tmp141__ |= (pSrc->unused4 << 7); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp141__; *pnConsumed += 1; pBuf += 1; @@ -21529,6 +23727,9 @@ uint32_t dot11f_pack_ie_wmm_params(tpAniSirGlobal pCtx, tmp142__ = 0U; tmp142__ |= (pSrc->acvo_acwmin << 0); tmp142__ |= (pSrc->acvo_acwmax << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp142__; *pnConsumed += 1; pBuf += 1; @@ -22211,6 +24412,9 @@ uint32_t dot11f_pack_ie_fils_indication(tpAniSirGlobal pCtx, tmp143__ |= (pSrc->is_fils_sk_auth_pfs_supported << 10); tmp143__ |= (pSrc->is_pk_auth_supported << 11); tmp143__ |= (pSrc->reserved << 12); + if (unlikely(nBuf < 2)) + return DOT11F_INCOMPLETE_IE; + frameshtons(pCtx, pBuf, tmp143__, 0); *pnConsumed += 2; pBuf += 2; @@ -22482,6 +24686,9 @@ uint32_t dot11f_pack_ie_hs20vendor_ie(tpAniSirGlobal pCtx, tmp144__ |= (pSrc->hs_id_present << 1); tmp144__ |= (pSrc->reserved << 3); tmp144__ |= (pSrc->release_num << 4); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp144__; *pnConsumed += 1; pBuf += 1; @@ -22536,6 +24743,9 @@ uint32_t dot11f_pack_ie_ht2040_bss_coexistence(tpAniSirGlobal pCtx, tmp145__ |= (pSrc->obss_scan_exemption_req << 3); tmp145__ |= (pSrc->obss_scan_exemption_grant << 4); tmp145__ |= (pSrc->unused << 5); + if (unlikely(nBuf < 1)) + return DOT11F_INCOMPLETE_IE; + *pBuf = tmp145__; *pnConsumed += 1; /* fieldsEndFlag = 1 */ diff --git a/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/parser_api.c b/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/parser_api.c index d57570549dce..627680645217 100644 --- a/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/parser_api.c +++ b/drivers/staging/qcacld-3.0/core/mac/src/sys/legacy/src/utils/src/parser_api.c @@ -4614,7 +4614,7 @@ sir_convert_addts_req2_struct(tpAniSirGlobal pMac, if (addts.num_WMMTCLAS) { j = (uint8_t) (pAddTs->numTclas + addts.num_WMMTCLAS); - if (SIR_MAC_TCLASIE_MAXNUM > j) + if (SIR_MAC_TCLASIE_MAXNUM < j) j = SIR_MAC_TCLASIE_MAXNUM; for (i = pAddTs->numTclas; i < j; ++i) { @@ -4774,7 +4774,7 @@ sir_convert_addts_rsp2_struct(tpAniSirGlobal pMac, if (addts.num_WMMTCLAS) { j = (uint8_t) (pAddTs->numTclas + addts.num_WMMTCLAS); - if (SIR_MAC_TCLASIE_MAXNUM > j) + if (SIR_MAC_TCLASIE_MAXNUM < j) j = SIR_MAC_TCLASIE_MAXNUM; for (i = pAddTs->numTclas; i < j; ++i) { diff --git a/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c b/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c index a79765e32b57..0b63d68cf4b3 100644 --- a/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c +++ b/drivers/staging/qcacld-3.0/core/wma/src/wma_utils.c @@ -1558,6 +1558,15 @@ static int wma_unified_radio_tx_power_level_stats_event_handler(void *handle, fixed_param->radio_id; tx_power_level_values = (uint8_t *) param_tlvs->tx_time_per_power_level; + if (rs_results->total_num_tx_power_levels && + fixed_param->total_num_tx_power_levels > + rs_results->total_num_tx_power_levels) { + WMA_LOGE("%s: excess tx_power buffers:%d, total_num_tx_power_levels:%d", + __func__, fixed_param->total_num_tx_power_levels, + rs_results->total_num_tx_power_levels); + return -EINVAL; + } + rs_results->total_num_tx_power_levels = fixed_param->total_num_tx_power_levels; if (!rs_results->total_num_tx_power_levels) { |