BACKPORT: qcacmn: Fix potential OOB read in util_scan_parse_rnr_ie (19be8f1d) · Commits · e / devices / android_kernel_oneplus_sm7250

drivers/staging/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c

+4 −2

Original line number	Diff line number	Diff line
		@@ -709,7 +709,8 @@ util_scan_parse_rnr_ie(struct scan_cache_entry *scan_entry,
		rnr_ie_len = ie->ie_len;
		data = (uint8_t *)ie + sizeof(struct ie_header);

		while (data < ((uint8_t *)ie + rnr_ie_len + 2)) {
		while ((data + sizeof(struct neighbor_ap_info_field)) <=
		((uint8_t *)ie + rnr_ie_len + 2)) {
		neighbor_ap_info = (struct neighbor_ap_info_field *)data;
		tbtt_count = neighbor_ap_info->tbtt_header.tbtt_info_count;
		tbtt_length = neighbor_ap_info->tbtt_header.tbtt_info_length;
		@@ -725,7 +726,8 @@ util_scan_parse_rnr_ie(struct scan_cache_entry *scan_entry,
		break;

		for (i = 0; i < (tbtt_count + 1) &&
		data < ((uint8_t *)ie + rnr_ie_len + 2); i++) {
		(data + tbtt_length) <=
		((uint8_t *)ie + rnr_ie_len + 2); i++) {
		if (i < MAX_RNR_BSS)
		util_scan_update_rnr(
		&scan_entry->rnr.bss_info[i],