commit | 4689388205d91f16eb106ba8731b37610bb0218c | [log] [tgz] |
---|---|---|
author | Deeksha Gupta <deegupta@codeaurora.org> | Tue Oct 05 09:17:30 2021 +0530 |
committer | Gerrit - the friendly Code Review server <code-review@localhost> | Wed Dec 01 03:29:21 2021 -0800 |
tree | ff667cf173131ae6c50b262285bbe3d5d0abdd51 | |
parent | 1805c11c64d9f0060c015246cf997cf210c2f113 [diff] |
wlan: Fix possible OOB in unpack_tlv_core Currently in UnpackTlvCore(), nBufRemaining is validated after calling framesntohs API. Since, framesntohs() copies pIn address to pOut address with length = 2 bytes as below. DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2); which could cause OOB issue if pIn contains less than 2 bytes. Fix is to validate the nBufRemaining size before calling framesntohs(). Change-Id: Ia79a590efaa0d81f06eb66c2163da34f1932b18f CRs-Fixed: 3048959