commit | c783c07b93ca0df9abf58308ff8793b4514fce15 | [log] [tgz] |
---|---|---|
author | hqu <hqu@codeaurora.org> | Wed Jan 30 17:40:35 2019 +0800 |
committer | nshrivas <nshrivas@codeaurora.org> | Mon Feb 04 17:52:28 2019 -0800 |
tree | aa98922db3f00bdbe39ffc5ce9d211a0999a9526 | |
parent | c81b9a3b34f2330c2bd967b8190562c328b548ac [diff] |
qcacmn: Fix possible OOB read in extract_mac_phy_cap_service_ready_ext_tlv In extract_mac_phy_cap_service_ready_ext() the field num_hw_modes of hw_caps is used as loop bounds and may be attacked. hw_mode_caps is a pointer defined by firmware. The exact array length cannot be got since hw_mode_caps pointing array length is variable. Fix is to add check for field num_hw_modes of hw_caps. Change-Id: Ie234db3f2356186a4e7aac121ec88dd7e6453efd CRs-Fixed: 2387221