wlan: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie
In the function lim_chk_n_process_wpa_rsn_ie, if wpa IE is
present, then dot11f_unpack_ie_wpa is called to copy the wpa IE
to destination buffer. assoc_req->wpa.length is passed as the
length to copy the IE. As this length includes 4 bytes of the
OUI fields also, this could result in OOB read.
Change the length passed to the dot11f_unpack_ie_wpa as
(assoc_req->wpa.length - 4), so that the additional 4 bytes of
the OUI fields are excluded.
Change-Id: If972b3a19d239bb955c7b4d4c7d94e25aa878f21
CRs-Fixed: 2423554
1 file changed