Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 54e92ccc authored by hqu's avatar hqu Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Fix potential oob issue in wlan_parse_wapi_ie() 

In function wlan_parse_wapi_ie(), len shows the remaining length
for ie content, it may cause oob issue when get uc_cipher_count
field from ie, need to add length check before get uc_cipher_count
field from ie.

Change-Id: Ie2d65284b2a172021d00f6385253368ec7603948
CRs-Fixed: 2832873
parent de141922

umac/cmn_services/cmn_defs/inc/wlan_cmn_ieee80211.h

+3 −0
Original line number Diff line number Diff line
@@ -1994,9 +1994,12 @@ static inline void wlan_parse_wapi_ie(uint8_t *wapi_ie, 
		len -= WLAN_OUI_SIZE;

	}



	if (len < 2)

		return;

	wapi->uc_cipher_count = LE_READ_2(ie);

	ie += 2;

	len -= 2;



	if ((wapi->uc_cipher_count > WLAN_MAX_CIPHER) ||

	   len < (wapi->uc_cipher_count * WLAN_OUI_SIZE + 2))

		return;