Gitiles
Code Review Sign In
gerrit-public.fairphone.software / platform / vendor / qcom-opensource / wlan / qcacld-3.0 / 762ed1e51a6db6abd0f0d69c1312e1f3f08ecfa6
commit762ed1e51a6db6abd0f0d69c1312e1f3f08ecfa6[log] [tgz]
authorSourav Mohapatra <mohapatr@codeaurora.org>Thu Sep 05 14:34:19 2019 +0530
committernshrivas <nshrivas@codeaurora.org>Fri Jan 31 05:36:36 2020 -0800
treef34af5eec9f166e90ff4c44a9f5d77abfaf79aea
parentc26c742df391230aea73519aedb82a6dd7f70f6a [diff]
qcacld-3.0: Prevent possible OOB access in hdd_sendactionframe

In the function hdd_sendactionframe, the parameters passed include the
payload and the corresponding payload length; payload being generic
pointer. The payload is then typecasted into the destination structure
of type tpSirMacVendorSpecificFrameHdr. If the size of the payload
specified in payload_len is less than the size of the destination
structure, there is possiblility of OOB read while accessing the same.

To prevent this security vulnerability, add a sanity check for the
payload_len against the size of the destination structure.

Change-Id: Ib0e7b7bfcf78412d81f18cf887e5296d80272598
CRs-Fixed: 2517858
1 file changed
tree: f34af5eec9f166e90ff4c44a9f5d77abfaf79aea
  1. components/
  2. configs/
  3. core/
  4. os_if/
  5. uapi/
  6. Android.mk
  7. Kbuild
  8. Kconfig
  9. Makefile
  10. README.txt