Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit efcf5dfc authored by hqu's avatar hqu Committed by Gerrit - the friendly Code Review server
Browse files

qcacmn: Fix possible OOB read in extract_mac_phy_cap_service_ready_ext_tlv 

In extract_mac_phy_cap_service_ready_ext() the field num_hw_modes
of hw_caps is used as loop bounds and may be attacked.

hw_mode_caps is a pointer defined by firmware. The exact array
length cannot be got since hw_mode_caps pointing array length
is variable. Fix is to add check for field num_hw_modes of hw_caps.

Change-Id: Ie234db3f2356186a4e7aac121ec88dd7e6453efd
CRs-Fixed: 2387221
parent 3d0e8594
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment