Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit decc73bf authored by Pragaspathi Thilagaraj's avatar Pragaspathi Thilagaraj
Browse files

wlan: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie 

In the function lim_chk_n_process_wpa_rsn_ie, if wpa IE is
present, then dot11f_unpack_ie_wpa is called to copy the wpa IE
to destination buffer. assoc_req->wpa.length is passed as the
length to copy the IE. As this length includes 4 bytes of the
OUI fields also, this could result in OOB read.
Change the length passed to the dot11f_unpack_ie_wpa as
(assoc_req->wpa.length - 4), so that the additional 4 bytes of
the OUI fields are excluded.

Change-Id: If972b3a19d239bb955c7b4d4c7d94e25aa878f21
CRs-Fixed: 2423554
parent 1cf97dd9
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment