Home Explore Help
Sign In
samsung-sm8650
/
android_kernel_samsung_sm8650-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

qcacld-3.0: Resolve possible OOB issue while processing start_bss

Presently, while processing start_bss, after retrieving WPS IE from
the beacon frame, 15th byte of WPS IE is accessed to get WPS state,
without confirming IE length holds that much minimum length to access.

Before accessing 15th byte(WPS state) of WPS IE, make sure IE length
holds minimum length to access it.

Change-Id: Ic00c700a1fbf88183b8b2d834c9700b538700ce7
CRs-Fixed: 2239164
Hanumanth Reddy Pothula 6 years ago
parent
5f80f479e4
commit
04bad8fa9d
1 changed files with 4 additions and 2 deletions
Split View Show Diff Stats
  1. 4 2
      core/hdd/src/wlan_hdd_hostapd.c

+ 4 - 2
core/hdd/src/wlan_hdd_hostapd.c
View File 

@@ -7561,8 +7561,10 @@ int wlan_hdd_cfg80211_start_bss(struct hdd_adapter *adapter,
 
 	pIe = wlan_hdd_get_wps_ie_ptr(pBeacon->tail, pBeacon->tail_len);
 
 
 	if (pIe) {
 
-		if (pIe[1] < (2 + WPS_OUI_TYPE_SIZE)) {
 
-			hdd_err("**Wps Ie Length is too small***");
 
+		/* To acess pIe[15], length needs to be atlest 14 */
 
+		if (pIe[1] < 14) {
 
+			hdd_err("**Wps Ie Length(%hhu) is too small***",
 
+				pIe[1]);
 
 			ret = -EINVAL;
 
 			goto error;
 
 		} else if (memcmp(&pIe[2], WPS_OUI_TYPE, WPS_OUI_TYPE_SIZE) ==