Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit b8826118 authored by Jyoti Kumari's avatar Jyoti Kumari Committed by Gerrit - the friendly Code Review server
Browse files

qcacld-3.0: Fix integer underflow in assoc response frame 

In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.

Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.

Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
parent 67b1685b
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment