Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / d5d7a80311f994a021f92637662cef92b59cc84d
commitd5d7a80311f994a021f92637662cef92b59cc84d[log] [tgz]
authorAbhinav Kumar <abhikuma@codeaurora.org>Fri Jun 08 14:44:15 2018 +0530
committerKarsten Tausche <karsten@fairphone.com>Mon Jul 15 10:41:28 2019 +0200
treeed9ca7846e75bce545140412f2ba86628e35c7b5
parenta3f54a7d48a8bee9049d0ea14e4d47744fceb72a [diff]
prima: Possible buff overflow in sir_convert_assoc_resp_frame2_struct

Adaption from qcacld-3.0 to prima.

After parsing of Re/Association Response frame,
sir_convert_assoc_resp_frame2_struct populates association response
structure sSirAssocRsp. In case if FEATURE_WLAN_ESE is enabled,
the host runs a loop to memcopy for all WMM TSPEC info from the parsed
buffer to association response structure.
Currently, While copying parsed data to sSirAssocRsp,
sir_convert_assoc_resp_frame2_struct is passing (sizeof(tDot11fIEWMMTSPEC)
* ar->num_WMMTSPEC)) as length argument to qdf_mem_copy to copy individual
TSPECInfo, which results to buffer overflow, as size of per
TSPECInfo is only sizeof(tDot11fIEWMMTSPEC).

Pass correct length to qdf_mem_copy while coping TSPECInfo.

Issue: SEC-1863
Change-Id: I9c74e3bbd387fda736a715625260d95c67f03ecc
CRs-Fixed: 2254946
Bug: 79377832
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
(adapted from commit 9f631e74eb50a00a6b419b830223c8c7ee28705a)
1 file changed
tree: ed9ca7846e75bce545140412f2ba86628e35c7b5
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. AndroidKernel.mk
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS