Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qcacld-3.0 / 3a66174d01a71d55e6cad58fde11cbf7767c9789
commit3a66174d01a71d55e6cad58fde11cbf7767c9789[log] [tgz]
authorAbhinav Kumar <abhikuma@codeaurora.org>Mon Jan 25 16:16:39 2021 +0530
committerGerrit - the friendly Code Review server <code-review@localhost>Sun Feb 28 12:09:09 2021 -0800
treebe4592a87fdf0edcfd07c12169fe8ed21035f0e0
parentb882611840510e311fdcc119080ade9645586174 [diff]
qcacld-3.0: Possible OOB read when parsing FT IE

FTIE buffer carries multiple FT subelements (like R1KH-ID,
R0KH-ID, GTK, IGTK, etc).

Total FTIE buffer len = Number of FT subelements * (Subelement
ID (1 bytes) + lenght (1 bytes) + data length)

Currently, Host checks only the minimum length for FTIE buffer
while filling each FT subelements. This leads to OOB if the
remaining length of FTIE length buffer less than the length of
an FT subelement.

Before filling each subelement into FTIE buffer, add a check
to validate subelement length against remaining FTIE length

Change-Id: I5d6f4a59eef591d3a2da9f2403738d1fdd1a88b2
CRs-Fixed: 2857084
1 file changed
tree: be4592a87fdf0edcfd07c12169fe8ed21035f0e0
  1. components/
  2. configs/
  3. core/
  4. os_if/
  5. uapi/
  6. Android.mk
  7. Kbuild
  8. Kconfig
  9. Makefile
  10. README.txt