samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Resolve possible OOB issue while processing start_bss

Browse Source 
Presently, while processing start_bss, after retrieving WPS IE from
the beacon frame, 15th byte of WPS IE is accessed to get WPS state,
without confirming IE length holds that much minimum length to access.

Before accessing 15th byte(WPS state) of WPS IE, make sure IE length
holds minimum length to access it.

Change-Id: Ic00c700a1fbf88183b8b2d834c9700b538700ce7
CRs-Fixed: 2239164
This commit is contained in:
Hanumanth Reddy Pothula
2018-06-13 18:32:02 +05:30
committed by nshrivas
parent 5f80f479e4
commit 04bad8fa9d
1 changed files with 4 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
core/hdd/src/wlan_hdd_hostapd.c
View File

@@ -7561,8 +7561,10 @@ int wlan_hdd_cfg80211_start_bss(struct hdd_adapter *adapter,
pIe = wlan_hdd_get_wps_ie_ptr(pBeacon->tail, pBeacon->tail_len);
if (pIe) {
if (pIe[1] < (2 + WPS_OUI_TYPE_SIZE)) {
hdd_err("**Wps Ie Length is too small***");
/* To acess pIe[15], length needs to be atlest 14 */
if (pIe[1] < 14) {
hdd_err("**Wps Ie Length(%hhu) is too small***",
pIe[1]);
ret = -EINVAL;
goto error;
} else if (memcmp(&pIe[2], WPS_OUI_TYPE, WPS_OUI_TYPE_SIZE) ==