Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5d5bfb17 authored by Dundi Raviteja's avatar Dundi Raviteja Committed by nshrivas
Browse files

qcacld-3.0: Possible OOB access in wlan_hdd_cfg80211_start_bss() 

In wlan_hdd_cfg80211_start_bss(), beacon head buffer is typecast
to ieee80211_mgmt structure without checking for buffer length
against beacon header length which may cause OOB access
while accessing iee80211_mgmt structure.

To address this, add check for beacon head length against beacon
header length before typecasting to iee80211_mgmt structure.

Also while accessing supported rates, length given to function
wlan_hdd_cfg80211_get_ie_ptr() is the total length of management
frame that also includes header length which may cause OOB access
while getting supported rates.

To address this, send only beacon data length and exclude header
length to function wlan_hdd_cfg80211_get_ie_ptr().

Change-Id: I442b236e48c3be8cbd8019c5c339593f9aa74e3e
CRs-Fixed: 2335957
parent 837d92ca
Show whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment