2d1b311af247ff4a3b34047d46b051965355687c - platform/vendor/qcom-opensource/wlan/qcacld-3.0

commit	2d1b311af247ff4a3b34047d46b051965355687c	[log] [tgz]
author	Pragaspathi Thilagaraj <tpragasp@codeaurora.org>	Fri Jul 06 15:54:42 2018 +0530
committer	nshrivas <nshrivas@codeaurora.org>	Sat Jul 21 03:35:33 2018 -0700
tree	abd2fb5891868f3606029dca16f05b6cc4e1f626
parent	c8d91102fac58c96e15dd8c640f05c4665243d23 [diff]

qcacld-3.0: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie

In the function lim_chk_n_process_wpa_rsn_ie, if wpa IE is
present, then dot11f_unpack_ie_wpa is called to copy the wpa IE
to destination buffer. assoc_req->wpa.length is passed as the
length to copy the IE. As this length includes 4 bytes of the
OUI fields also, this could result in OOB read.

Change the length passed to the dot11f_unpack_ie_wpa as
(assoc_req->wpa.length - 4), so that the additional 4 bytes of
the OUI fields are excluded.

Change-Id: If972b3a19d239bb955c7b4d4c7d94e25aa878f21
CRs-Fixed: 2267557

core/mac/inc/sir_mac_prot_def.h[diff]
core/mac/src/pe/lim/lim_assoc_utils.c[diff]
core/mac/src/pe/lim/lim_process_assoc_req_frame.c[diff]

3 files changed

tree: abd2fb5891868f3606029dca16f05b6cc4e1f626

components/
configs/
core/
uapi/
Android.mk
Kbuild
Kconfig
Makefile
README.txt