Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qca-wifi-host-cmn / c783c07b93ca0df9abf58308ff8793b4514fce15
commitc783c07b93ca0df9abf58308ff8793b4514fce15[log] [tgz]
authorhqu <hqu@codeaurora.org>Wed Jan 30 17:40:35 2019 +0800
committernshrivas <nshrivas@codeaurora.org>Mon Feb 04 17:52:28 2019 -0800
treeaa98922db3f00bdbe39ffc5ce9d211a0999a9526
parentc81b9a3b34f2330c2bd967b8190562c328b548ac [diff]
qcacmn: Fix possible OOB read in extract_mac_phy_cap_service_ready_ext_tlv

In extract_mac_phy_cap_service_ready_ext() the field num_hw_modes
of hw_caps is used as loop bounds and may be attacked.

hw_mode_caps is a pointer defined by firmware. The exact array
length cannot be got since hw_mode_caps pointing array length
is variable. Fix is to add check for field num_hw_modes of hw_caps.

Change-Id: Ie234db3f2356186a4e7aac121ec88dd7e6453efd
CRs-Fixed: 2387221
1 file changed
tree: aa98922db3f00bdbe39ffc5ce9d211a0999a9526
  1. cfg/
  2. dp/
  3. ftm/
  4. global_lmac_if/
  5. hal/
  6. hif/
  7. htc/
  8. init_deinit/
  9. os_if/
  10. qal/
  11. qdf/
  12. scheduler/
  13. spectral/
  14. target_if/
  15. umac/
  16. utils/
  17. wbuff/
  18. wlan_cfg/
  19. wmi/
  20. README.txt
  21. VERSION.txt