qcacmn: Fix OOB reads in util_gen_new_ie (9f529222) · Commits · e / devices / android_kernel_fairphone_FP5

umac/scan/dispatcher/src/wlan_scan_utils_api.c

+12 −2

Original line number	Diff line number	Diff line
		@@ -2030,6 +2030,11 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen,
		tmp_old = util_scan_find_ie(WLAN_ELEMID_SSID, ie, ielen);
		tmp_old = (tmp_old) ? tmp_old + tmp_old[1] + MIN_IE_LEN : ie;

		if (((tmp_old + MIN_IE_LEN) - ie) >= ielen) {
		qdf_mem_free(sub_copy);
		return 0;
		}

		while (((tmp_old + tmp_old[1] + MIN_IE_LEN) - ie) <= ielen) {
		ninh.non_inh_ie_found = 0;
		if (ninh.non_inherit) {
		@@ -2051,6 +2056,9 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen,
		}

		if (ninh.non_inh_ie_found \|\| (tmp_old[0] == 0)) {
		if (((tmp_old + tmp_old[1] + MIN_IE_LEN) - ie) >=
		(ielen - MIN_IE_LEN))
		break;
		tmp_old += tmp_old[1] + MIN_IE_LEN;
		continue;
		}
		@@ -2105,7 +2113,8 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen,
		MIN_IE_LEN;
		}
		}
		} else if (tmp_old[0] == WLAN_ELEMID_EXTN_ELEM) {
		} else if (tmp_old[0] == WLAN_ELEMID_EXTN_ELEM &&
		tmp_rem_len >= (MIN_IE_LEN + 1)) {
		if (tmp_old[PAYLOAD_START_POS] ==
		tmp[PAYLOAD_START_POS]) {
		/* same ie, copy from subelement */
		@@ -2139,7 +2148,8 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen,
		}
		}

		if (((tmp_old + tmp_old[1] + MIN_IE_LEN) - ie) >= ielen)
		if (((tmp_old + tmp_old[1] + MIN_IE_LEN) - ie) >=
		(ielen - MIN_IE_LEN))
		break;

		tmp_old += tmp_old[1] + MIN_IE_LEN;