wlan: Avoid OOB read in dot11f_unpack_assoc_response
Avoid OOB read in dot11f_unpack_assoc_response API. Modify
the check to nBuf-len > 1 to read another byte of pBufRemaining.
This ensures a read of at least 2 bytes since all IEs have
at least 2 bytes.
Change-Id: If8f43739091b1baa8a86751fa60b9af2a90a751a
CRs-Fixed: 3064612
diff --git a/CORE/SYS/legacy/src/utils/src/dot11f.c b/CORE/SYS/legacy/src/utils/src/dot11f.c
index b26ec17..0f66df0 100644
--- a/CORE/SYS/legacy/src/utils/src/dot11f.c
+++ b/CORE/SYS/legacy/src/utils/src/dot11f.c
@@ -494,7 +494,7 @@
len += *(pBufRemaining+1);
pBufRemaining += len + 2;
len += 2;
- while ( len < nBuf )
+ while ( len + 1 < nBuf )
{
if( NULL == (pIe = FindIEDefn(pCtx, pBufRemaining, nBuf - len, IEs)))
break;