Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d7687fb2 authored by Vinod Kumar Myadam's avatar Vinod Kumar Myadam
Browse files

qcacmn: Fix OOB in util_gen_new_ie 

For example, If tmp_new[1] = 3, subie_len=160,
tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy will be 159.
In this scenario, while condition gets true (159 <= 160)
In if condition (159 >= 160), we are not breaking the loop in if.
tmp_new will get incremented, tmp_new will point at 159,
tmp_new[1] will point at 160, tmp_new[2] point at 161.
So, we are accessing one byte out-of-bound value.

To fix accessing out-of-bound value subtract one from the subie_len
in while and if condition to avoid this scenario.

Change-Id: I624585323963b6d79acf9ff0f96ec17e0b415c2d
CRs-Fixed: 3358833
parent 074d2855
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment