DivestOS/Patches/Linux_CVEs/CVE-2017-11013/ANY/0002.patch
2017-11-07 17:32:46 -05:00

99 lines
3.3 KiB
Diff

From c9f8654b11a1e693022ad7f163b3bc477fea8ce8 Mon Sep 17 00:00:00 2001
From: Naveen Rawat <naveenrawat@codeaurora.org>
Date: Fri, 9 Jun 2017 14:25:45 -0700
Subject: qcacld-3.0: Skip an IE if found more its max times in a frame
Check if a IE has been encountered more than max possible for that IE
while parsing a frame.
Change-Id: I1054c7df18780469849be55fc4343f09ac502a49
CRs-Fixed: 2058261
---
core/mac/src/include/dot11f.h | 4 ++--
core/mac/src/sys/legacy/src/utils/src/dot11f.c | 25 +++++++++++++------------
2 files changed, 15 insertions(+), 14 deletions(-)
diff --git a/core/mac/src/include/dot11f.h b/core/mac/src/include/dot11f.h
index 96b8c6c..c5be2fd 100644
--- a/core/mac/src/include/dot11f.h
+++ b/core/mac/src/include/dot11f.h
@@ -35,7 +35,7 @@
*
*
* This file was automatically generated by 'framesc'
- * Mon Mar 13 16:17:19 2017 from the following file(s):
+ * Fri Jun 9 14:23:47 2017 from the following file(s):
*
* dot11f.frms
*
@@ -88,8 +88,8 @@ typedef uint32_t tDOT11F_U64[2];
#define DOT11F_BUFFER_OVERFLOW (0x10000005)
#define DOT11F_MANDATORY_TLV_MISSING (0x00001000)
#define DOT11F_FAILED(code) ((code) & 0x10000000)
-#define DOT11F_WARNED(code) (((0 == (code)) & 0x10000000) && code)
#define DOT11F_SUCCEEDED(code) ((code) == 0)
+#define DOT11F_WARNED(code) (!DOT11F_SUCCEEDED(code) && !DOT11F_FAILED(code))
/*********************************************************************
* Fixed Fields *
diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
index 210cf89..a6089b3 100644
--- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
@@ -33,7 +33,7 @@
*
*
* This file was automatically generated by 'framesc'
- * Mon Mar 13 16:17:19 2017 from the following file(s):
+ * Fri Jun 9 14:23:47 2017 from the following file(s):
*
* dot11f.frms
*
@@ -9240,6 +9240,10 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
countOffset = ((0 != pIe->arraybound) *
(*(uint16_t *)(pFrm + pIe->countOffset)));
+ if (0 != pIe->arraybound && countOffset >= pIe->arraybound) {
+ status |= DOT11F_DUPLICATE_IE;
+ goto skip_dup_ie;
+ }
switch (pIe->sig) {
case SigIeGTK:
status |=
@@ -9819,17 +9823,13 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
countOffset));
break;
case SigIeNeighborReport:
- if (countOffset < MAX_SUPPORTED_NEIGHBOR_RPT) {
- status |=
- dot11f_unpack_ie_neighbor_report(
- pCtx, pBufRemaining, len,
- (tDot11fIENeighborReport *)
- (pFrm + pIe->offset +
- sizeof(tDot11fIENeighborReport) *
- countOffset));
- } else {
- status |= DOT11F_BUFFER_OVERFLOW;
- }
+ status |=
+ dot11f_unpack_ie_neighbor_report(
+ pCtx, pBufRemaining, len,
+ (tDot11fIENeighborReport *)
+ (pFrm + pIe->offset +
+ sizeof(tDot11fIENeighborReport) *
+ countOffset));
break;
case SigIeOBSSScanParameters:
status |=
@@ -10427,6 +10427,7 @@ static uint32_t unpack_core(tpAniSirGlobal pCtx,
status |= DOT11F_UNKNOWN_IES;
}
+skip_dup_ie:
pBufRemaining += len;
if (len > nBufRemaining) {
--
cgit v1.1