Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 01cba11e authored by Deeksha Gupta's avatar Deeksha Gupta Committed by Gerrit - the friendly Code Review server
Browse files

qcacld-3.0: Fix possible OOB in unpack_tlv_core 

Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.

Fix is to validate the nBufRemaining size before calling
framesntohs().

Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
CRs-Fixed: 3042282
parent 54fbd934
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment