From c9f8654b11a1e693022ad7f163b3bc477fea8ce8 Mon Sep 17 00:00:00 2001
From: Naveen Rawat <naveenrawat@codeaurora.org>
Date: Fri, 9 Jun 2017 14:25:45 -0700
Subject: qcacld-3.0: Skip an IE if found more its max times in a frame

Check if a IE has been encountered more than max possible for that IE
while parsing a frame.

Change-Id: I1054c7df18780469849be55fc4343f09ac502a49
CRs-Fixed: 2058261
---
 core/mac/src/include/dot11f.h                  |  4 ++--
 core/mac/src/sys/legacy/src/utils/src/dot11f.c | 25 +++++++++++++------------
 2 files changed, 15 insertions(+), 14 deletions(-)

diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h
index 96b8c6c..c5be2fd 100644
--- a/core/mac/src/include/dot11f.h
+++ b/core/mac/src/include/dot11f.h
@@ -35,7 +35,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Mon Mar 13 16:17:19 2017 from the following file(s):
+ * Fri Jun  9 14:23:47 2017 from the following file(s):
  *
  * dot11f.frms
  *
@@ -88,8 +88,8 @@ typedef uint32_t tDOT11F_U64[2];
 #define DOT11F_BUFFER_OVERFLOW       (0x10000005)
 #define DOT11F_MANDATORY_TLV_MISSING (0x00001000)
 #define DOT11F_FAILED(code)          ((code) & 0x10000000)
-#define DOT11F_WARNED(code)          (((0 == (code)) & 0x10000000) && code)
 #define DOT11F_SUCCEEDED(code)       ((code) == 0)
+#define DOT11F_WARNED(code)          (!DOT11F_SUCCEEDED(code) && !DOT11F_FAILED(code))
 
 /*********************************************************************
  * Fixed Fields                                                      *
diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
index 210cf89..a6089b3 100644
--- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
@@ -33,7 +33,7 @@
  *
  *
  * This file was automatically generated by 'framesc'
- * Mon Mar 13 16:17:19 2017 from the following file(s):
+ * Fri Jun  9 14:23:47 2017 from the following file(s):
  *
  * dot11f.frms
  *
@@ -9240,6 +9240,10 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
 
 				countOffset = ((0 != pIe->arraybound) *
 						(*(uint16_t *)(pFrm + pIe->countOffset)));
+				if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
+					status |= DOT11F_DUPLICATE_IE;
+					goto skip_dup_ie;
+				}
 				switch (pIe->sig) {
 				case SigIeGTK:
 					status |=
@@ -9819,17 +9823,13 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
 						    countOffset));
 					break;
 				case SigIeNeighborReport:
-					if (countOffset < MAX_SUPPORTED_NEIGHBOR_RPT) {
-						status |=
-							dot11f_unpack_ie_neighbor_report(
-							    pCtx, pBufRemaining, len,
-							    (tDot11fIENeighborReport *)
-							    (pFrm + pIe->offset +
-							    sizeof(tDot11fIENeighborReport) *
-							    countOffset));
-					} else {
-						status |= DOT11F_BUFFER_OVERFLOW;
-					}
+					status |=
+						dot11f_unpack_ie_neighbor_report(
+						    pCtx, pBufRemaining, len,
+						    (tDot11fIENeighborReport *)
+						    (pFrm + pIe->offset +
+						    sizeof(tDot11fIENeighborReport) *
+						    countOffset));
 					break;
 				case SigIeOBSSScanParameters:
 					status |=
@@ -10427,6 +10427,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
 			status |= DOT11F_UNKNOWN_IES;
 		}
 
+skip_dup_ie:
 		pBufRemaining += len;
 
 		if (len > nBufRemaining) {
-- 
cgit v1.1