Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 1cca2e27 authored by Deeksha Gupta's avatar Deeksha Gupta Committed by Gerrit - the friendly Code Review server
Browse files

wlan: Fix possible OOB in unpack_tlv_core 

Currently in UnpackTlvCore(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.

Fix is to validate the nBufRemaining size before calling
framesntohs().

Change-Id: Ia79a590efaa0d81f06eb66c2163da34f1932b18f
CRs-Fixed: 3048959
parent b53da9a7
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment