qcacld-3.0: Fix to pass appropriate buffer length to unpack WPA IE
In lim_set_rs_nie_wp_aiefrom_sme_start_bss_req_message, length passed to unpack WPA IE is length of WPA IE + 2 bytes extra (rsn_ie->rsnIEdata[1] + 2) - 4. So in case of only WPA IE is present in assoc request, the WPA IE parser will try to validate the buffer beyond the WPA IE and might fail as the extra 2 bytes of buffer might contains some garbage value. Pass appropriate length to unpack WPA IE. Change-Id: Ifad6fabf701a82abd4234569d108b4172adf2bcb CRs-Fixed: 2217455
Cette révision appartient à :
Abhinav Kumar
@@ -297,7 +297,7 @@ lim_set_rs_nie_wp_aiefrom_sme_start_bss_req_message(tpAniSirGlobal mac_ctx,
|
||||
&& (rsn_ie->rsnIEdata[0] == SIR_MAC_WPA_EID)) {
|
||||
pe_debug("Only WPA IE is present");
|
||||
ret = dot11f_unpack_ie_wpa(mac_ctx, &rsn_ie->rsnIEdata[6],
|
||||
(uint8_t) rsn_ie->length - 4,
|
||||
rsn_ie->rsnIEdata[1] - 4,
|
||||
&session->gStartBssWPAIe, false);
|
||||
if (!DOT11F_SUCCEEDED(ret)) {
|
||||
pe_err("unpack failed, ret: %d", ret);
|
||||
|
||||
Référencer dans un nouveau ticket
Bloquer un utilisateur