commit abdd0074462109fe4e740a2356450bc43b70eb5b
author Gururaj Pandurangi <panduran@codeaurora.org> Wed Oct 27 12:02:58 2021 -0700
committer Gerrit - the friendly Code Review server <code-review@localhost> Mon Nov 22 00:30:00 2021 -0800
tree 4be610f97e27a815e1fa5cf7f798e94e1a0d4c1d
parent c202f3ef17802d25455e287421bf2e04ad22c222

wlan: Avoid OOB read in dot11f_unpack_assoc_response

Avoid OOB read in dot11f_unpack_assoc_response API. Modify
the check to nBuf-len > 1 to read another byte of pBufRemaining.
This ensures a read of at least 2 bytes since all IEs have
at least 2 bytes.

Change-Id: If8f43739091b1baa8a86751fa60b9af2a90a751a
CRs-Fixed: 3064612

CORE/SYS/legacy/src/utils/src/dot11f.c

diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c
index b26ec17..0f66df0 100644
--- a/CORE/SYS/legacy/src/utils/src/dot11f.c
+++ b/CORE/SYS/legacy/src/utils/src/dot11f.c
@@ -494,7 +494,7 @@
     len += *(pBufRemaining+1);
     pBufRemaining += len + 2;
     len += 2;
-    while ( len < nBuf )
+    while ( len + 1 < nBuf )
     {
         if( NULL == (pIe =  FindIEDefn(pCtx, pBufRemaining, nBuf - len, IEs)))
              break;