Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content
Commit 35e1eb1a authored by Krupali Dhanvijay's avatar Krupali Dhanvijay Committed by Ravindra Konda
Browse files

qcacmn: Fix out of bound read issue in ESP ie parse 

While parsing ESP IE from beacon/probe response frame,
the condition in loop to copy ESP_INFO from the ESP IE is
incorrect which will iterate for 5 times rather than 4 times,
this may cause OOB access.

data < ((uint8_t *)esp_ie + esp_ie->esp_len + 3)
Here adding 3 for esp_ie->esp_len, actually esp_len itself is
1 byte extra (esp_ len = ESP_ID_EXTN + ESP_INFO * 4),
but by adding 3 again will loop for one more iteration
this will cause OOB access.

Remove 3 in loop condition to avoid one more extra iteration
and ignore ESP_ID_EXTN element for total elements, in function
util_scan_update_esp_data.

Change-Id: Ia9226e483672369af36c6914e3ac914fe9de45e5
CRs-Fixed: 3710081
parent 4a8b2110
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment