wlan: Fix potential OOB read in dot11f.c
In function get_container_ies_len, nBuf is passed from caller function
as length of the buffer remaining in the frame. len is calculated from
the length field present in the IE. Then find_ie_defn is called with
nBuf + len as buffer length available leading to potential OOB read
in the function find_ie_defn.
Also in function get_container_ies_len, if len is greater than nBuf,
OOB read would occur in the caller function unpack_core.
In function unpack_core, len is calculated from the length field in
the IE buffer, then the IE is parsed in one of the unpack functions
where len is decremented without any check for min value of len.
If the value of len obtained from the IE buffer is less than the
minSize of the IE, then an integer underflow would occur.
1. In function get_container_ies_len, change calling of find_ie_defn
to use nbuf - len.
2. In function get_container_ies_len, if len > nbuf, return error.
3. In function unpack_core, add sanity check to make sure len is not
less thatn IE's minSize.
Change-Id: I8e42fb7e9674845d152d2ec26a592e02a1b562ab
CRs-Fixed: 2164275
2 files changed