Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 3a66174d authored by Abhinav Kumar's avatar Abhinav Kumar Committed by Gerrit - the friendly Code Review server
Browse files

qcacld-3.0: Possible OOB read when parsing FT IE 

FTIE buffer carries multiple FT subelements (like R1KH-ID,
R0KH-ID, GTK, IGTK, etc).

Total FTIE buffer len = Number of FT subelements * (Subelement
ID (1 bytes) + lenght (1 bytes) + data length)

Currently, Host checks only the minimum length for FTIE buffer
while filling each FT subelements. This leads to OOB if the
remaining length of FTIE length buffer less than the length of
an FT subelement.

Before filling each subelement into FTIE buffer, add a check
to validate subelement length against remaining FTIE length

Change-Id: I5d6f4a59eef591d3a2da9f2403738d1fdd1a88b2
CRs-Fixed: 2857084
parent b8826118
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment