Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm / ddf5b1e7af92eacf639697d251a5753f12901bde
commitddf5b1e7af92eacf639697d251a5753f12901bde[log] [tgz]
authorGururaj Patil <gururaj.patil3@harman.com>Thu Oct 24 12:17:22 2019 +0000
committerKarsten Tausche <karsten@fairphone.com>Thu Nov 28 17:10:33 2019 +0100
tree5ab4f675d8bf816907fbf8cdb6b534b8fe80ab6c
parentc1a9c55d5dcc0652548632b9be1c680481ed748a [diff]
wlan: Fix OOB read in lim_process_deauth_frame

In the API lim_process_deauth_frame, the reason-code is
fetched from the payload, and it may happen that the
payload received is empty, and the MPDU just contains the
header, so the driver may access the memory not allocated
to the frame, thus resulting in a OOB read.

Fix is to have a min length check of 16 bits for the
reason code before accessing it.

Issue: SEC-1892
Change-Id: I471198582bd7d40dee45d88b76ce6231456dc5ce
CRs-Fixed: 2249768
Signed-off-by: Gururaj Patil <gururaj.patil3@harman.com>
1 file changed
tree: 5ab4f675d8bf816907fbf8cdb6b534b8fe80ab6c
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. AndroidKernel.mk
  25. COPYING
  26. CREDITS
  27. Kbuild
  28. Kconfig
  29. MAINTAINERS
  30. Makefile
  31. README
  32. REPORTING-BUGS