Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f9b5f8c5 authored by Gururaj Pandurangi's avatar Gururaj Pandurangi Committed by Madan Koyyalamudi
Browse files

qcacld-3.0: Avoid OOB read in dot11f_unpack_assoc_response 

Avoid OOB read in dot11f_unpack_assoc_response API. Add check
for when nBuf == len to read another byte of pBufRemaining.

Change-Id: Iccdb0b268d16f4169b8b701ade6085d47897f785
CRs-Fixed: 3042293
parent 76a7ae98

core/mac/src/sys/legacy/src/utils/src/dot11f.c

+1 −1
Original line number Diff line number Diff line
@@ -335,7 +335,7 @@ static uint32_t get_container_ies_len(tpAniSirGlobal pCtx, 
	len += *(pBufRemaining+1);

	pBufRemaining += len + 2;

	len += 2;

	while (len < nBuf) {

	while (len + 1 < nBuf) {

		pIe = find_ie_defn(pCtx, pBufRemaining, nBuf - len, IEs);

		if (NULL == pIe)

			break;