FPII-1945:Elevation of Privilege Vulnerability in Qualcomm Wi-Fi Driver (Device Specific) CVE-2016-2474 ANDROID-27424603
An elevation of privilege vulnerability in the Qualcomm Wi-Fi driver could enable a local malicious application to execute arbitrary code within the context of the kernel. This issue is rated as Critical severity due to the possibility of a local permanent device compromise, which may require reflashing the operating system to repair the device.
Note: There is no patch provided in the zip file for this device-specific issue. Where possible, we have provided links to publicly available patches or code snippets for reference. Where necessary, partners should contact the vendor to get an applicable patch. This information is provided for completeness and partner awareness.
Additional Technical Details:
Bug:ANDROID-27424603
(Qualcomm ref#: CR#993561)
Change-Id: I4057a1e762454762963709fbf209b73b8e5a5199
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index bce26c7..f8593a2 100644
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -4338,17 +4338,17 @@
/*no argument followed by spaces*/
if ('\0' == *inPtr) return -EINVAL;
- /*getting the first argument ie measurement token*/
+ /* Getting the first argument ie Number of IE fields */
v = sscanf(inPtr, "%31s ", buf);
if (1 != v) return -EINVAL;
v = kstrtos32(buf, 10, &tempInt);
if ( v < 0) return -EINVAL;
+ tempInt = VOS_MIN(tempInt, SIR_ESE_MAX_MEAS_IE_REQS);
pEseBcnReq->numBcnReqIe = tempInt;
- VOS_TRACE( VOS_MODULE_ID_HDD, VOS_TRACE_LEVEL_INFO_HIGH,
- "Number of Bcn Req Ie fields(%d)", pEseBcnReq->numBcnReqIe);
+ hddLog(LOG1, "Number of Bcn Req Ie fields: %d", pEseBcnReq->numBcnReqIe);
for (j = 0; j < (pEseBcnReq->numBcnReqIe); j++)
{