Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qcacld-3.0 / 228645aa79852e703541b229d9eaa264d1668e1f
commit228645aa79852e703541b229d9eaa264d1668e1f[log] [tgz]
authorVignesh Viswanathan <viswanat@codeaurora.org>Tue May 29 10:25:56 2018 +0530
committernshrivas <nshrivas@codeaurora.org>Fri Jun 08 10:11:54 2018 -0700
tree8eaf426b44f6c55356809402e97e0e714dde7428
parentedd1d375889718c59b368dc4593d4c65176a058b [diff]
qcacld-3.0: Validate TLV length in FILS wrapped data before processing

While processing FILS EAP TLVs present in FILS wrapped data in Auth Frame,
the tlv->length from the frame is used as the length to copy the buffer
into the FILS auth info without validating if the received buffer
length is at least greater than the length value in the TLV buffer.
This would lead to OOB read if the TLV length present in the frame is
greater than the actual data_len of the FILS wrapped data.

Add sanity check to return error if tlv->length is greater than wrapped
data_len + 2 with 2 bytes for the TLV header.

Change-Id: Ibe1183c8e318ceb75db6278c935786322a029d5c
CRs-Fixed: 2245944
1 file changed
tree: 8eaf426b44f6c55356809402e97e0e714dde7428
  1. components/
  2. configs/
  3. core/
  4. uapi/
  5. Android.mk
  6. Kbuild
  7. Kconfig
  8. Makefile
  9. README.txt