Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f45869bf authored by Aditya Kodukula's avatar Aditya Kodukula Committed by Gerrit - the friendly Code Review server
Browse files

qcacld-3.0: Fix possible OOB read in wlan_hdd_set_sap_hwmode 

A possible out-of-bound read can happen in the hdd function
wlan_hdd_set_sap_hwmode. To fix it, pass the proper length.

Change-Id: I11258c6d9f481a21afc3229762900153d6f83c82
CRs-Fixed: 2853407
parent a4cfe9ba

core/hdd/src/wlan_hdd_hostapd.c

+10 −1
Original line number Diff line number Diff line
@@ -4447,12 +4447,21 @@ static void wlan_hdd_set_sap_hwmode(struct hdd_adapter *adapter) 
	u8 checkRatesfor11g = true;

	u8 require_ht = false, require_vht = false;

	const u8 *ie;

	ssize_t size;



	config->SapHw_mode = eCSR_DOT11_MODE_11b;



	size = beacon->head_len - sizeof(mgmt_frame->u.beacon) -

	      (sizeof(*mgmt_frame) - sizeof(mgmt_frame->u));



	if (size <= 0) {

		hdd_err_rl("Invalid length: %zu", size);

		return;

	}



	ie = wlan_get_ie_ptr_from_eid(WLAN_EID_SUPP_RATES,

				      &mgmt_frame->u.beacon.variable[0],

				      beacon->head_len);

				      size);

	if (ie) {

		ie += 1;

		wlan_hdd_check_11gmode(ie, &require_ht, &require_vht,