DivestOS/Patches/Linux_CVEs/CVE-2017-9714/ANY/1.patch

From 822958b55703d8a3d7f7e2d9b1cd1736c9878a3b Mon Sep 17 00:00:00 2001
From: Kapil Gupta <kapgupta@codeaurora.org>
Date: Tue, 16 May 2017 12:39:54 +0530
Subject: [PATCH] qcacld-2.0: Drop assoc request if RSNIE/WPAIE parsing fail

Add changes to drop assoc request and return error if RSNIE or
WPAIE parsing fail during parsing of assoc request.

Bug: 63868020

CRs-Fixed: 2046578
Change-Id: I88d779399c2eba5d33c30144bf9600a1f3a00b77
Signed-off-by: Ecco Park <eccopark@google.com>
---
 .../CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c  | 23 ++++++++++++++++++----
 1 file changed, 19 insertions(+), 4 deletions(-)

diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
index 4e7fbe2341811..5e2bb2dd04f2c 100644
--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
+++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c
@@ -711,10 +711,18 @@ limProcessAssocReqFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,
                 if(pAssocReq->rsn.length)
                 {
                     // Unpack the RSN IE
-                    dot11fUnpackIeRSN(pMac,
+                    if (dot11fUnpackIeRSN(pMac,
                                         &pAssocReq->rsn.info[0],
                                         pAssocReq->rsn.length,
-                                        &Dot11fIERSN);
+                                        &Dot11fIERSN) != DOT11F_PARSE_SUCCESS)
+                    {
+                        limLog(pMac, LOG1,
+                            FL("Invalid RSNIE received"));
+                        limSendAssocRspMgmtFrame(pMac,
+                            eSIR_MAC_INVALID_RSN_IE_CAPABILITIES_STATUS,
+                            1, pHdr->sa, subType, 0,psessionEntry);
+                        goto error;
+                    }
 
                     /* Check RSN version is supported or not */
                     if(SIR_MAC_OUI_VERSION_1 == Dot11fIERSN.version)
@@ -780,10 +788,17 @@ limProcessAssocReqFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,
                 // Unpack the WPA IE
                 if(pAssocReq->wpa.length)
                 {
-                    dot11fUnpackIeWPA(pMac,
+                    if (dot11fUnpackIeWPA(pMac,
                                         &pAssocReq->wpa.info[4], //OUI is not taken care
                                         pAssocReq->wpa.length,
-                                        &Dot11fIEWPA);
+                                        &Dot11fIEWPA) != DOT11F_PARSE_SUCCESS)
+                    {
+                        limLog(pMac, LOGE, FL("Invalid WPA IE"));
+                        limSendAssocRspMgmtFrame(pMac,
+                                eSIR_MAC_INVALID_INFORMATION_ELEMENT_STATUS,
+                                1, pHdr->sa, subType, 0,psessionEntry);
+                        goto error;
+                    }
                     /* check the groupwise and pairwise cipher suites */
                     if(eSIR_SUCCESS != (status = limCheckRxWPAIeMatch(pMac, Dot11fIEWPA, psessionEntry, pAssocReq->HTCaps.present)))
                     {
Add patches for many Linux CVEs, and overhaul script paths 2017-10-29 01:48:53 -04:00			`From 822958b55703d8a3d7f7e2d9b1cd1736c9878a3b Mon Sep 17 00:00:00 2001`
			`From: Kapil Gupta <kapgupta@codeaurora.org>`
			`Date: Tue, 16 May 2017 12:39:54 +0530`
			`Subject: [PATCH] qcacld-2.0: Drop assoc request if RSNIE/WPAIE parsing fail`

			`Add changes to drop assoc request and return error if RSNIE or`
			`WPAIE parsing fail during parsing of assoc request.`

			`Bug: 63868020`

			`CRs-Fixed: 2046578`
			`Change-Id: I88d779399c2eba5d33c30144bf9600a1f3a00b77`
			`Signed-off-by: Ecco Park <eccopark@google.com>`
			`---`
			`.../CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c \| 23 ++++++++++++++++++----`
			`1 file changed, 19 insertions(+), 4 deletions(-)`

			`diff --git a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c`
			`index 4e7fbe2341811..5e2bb2dd04f2c 100644`
			`--- a/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c`
			`+++ b/drivers/staging/qcacld-2.0/CORE/MAC/src/pe/lim/limProcessAssocReqFrame.c`
			`@@ -711,10 +711,18 @@ limProcessAssocReqFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,`
			`if(pAssocReq->rsn.length)`
			`{`
			`// Unpack the RSN IE`
			`- dot11fUnpackIeRSN(pMac,`
			`+ if (dot11fUnpackIeRSN(pMac,`
			`&pAssocReq->rsn.info[0],`
			`pAssocReq->rsn.length,`
			`- &Dot11fIERSN);`
			`+ &Dot11fIERSN) != DOT11F_PARSE_SUCCESS)`
			`+ {`
			`+ limLog(pMac, LOG1,`
			`+ FL("Invalid RSNIE received"));`
			`+ limSendAssocRspMgmtFrame(pMac,`
			`+ eSIR_MAC_INVALID_RSN_IE_CAPABILITIES_STATUS,`
			`+ 1, pHdr->sa, subType, 0,psessionEntry);`
			`+ goto error;`
			`+ }`

			`/* Check RSN version is supported or not */`
			`if(SIR_MAC_OUI_VERSION_1 == Dot11fIERSN.version)`
			`@@ -780,10 +788,17 @@ limProcessAssocReqFrame(tpAniSirGlobal pMac, tANI_U8 *pRxPacketInfo,`
			`// Unpack the WPA IE`
			`if(pAssocReq->wpa.length)`
			`{`
			`- dot11fUnpackIeWPA(pMac,`
			`+ if (dot11fUnpackIeWPA(pMac,`
			`&pAssocReq->wpa.info[4], //OUI is not taken care`
			`pAssocReq->wpa.length,`
			`- &Dot11fIEWPA);`
			`+ &Dot11fIEWPA) != DOT11F_PARSE_SUCCESS)`
			`+ {`
			`+ limLog(pMac, LOGE, FL("Invalid WPA IE"));`
			`+ limSendAssocRspMgmtFrame(pMac,`
			`+ eSIR_MAC_INVALID_INFORMATION_ELEMENT_STATUS,`
			`+ 1, pHdr->sa, subType, 0,psessionEntry);`
			`+ goto error;`
			`+ }`
			`/* check the groupwise and pairwise cipher suites */`
			`if(eSIR_SUCCESS != (status = limCheckRxWPAIeMatch(pMac, Dot11fIEWPA, psessionEntry, pAssocReq->HTCaps.present)))`
			`{`