samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Garpu 0
Kode Masalah Tarik Permintaan Actions Packages Projects Rilis Wiki Kegiatan

qcacmn: Fix potential OOB read in util_scan_is_split_prof_found()

Telusuri Sumber 
If the tag length in next_elem is some invalid high value then the
existing length check can still pass and lead to the OOB access.

Add an OOB check w.r.t total IE length to ensure it has the
minimum number of bytes in the buffer.

Change-Id: I9778a3e0ced05d3246d91e23c2a47f7318634d75
CRs-Fixed: 3717566
This commit is contained in:
Srikanth Marepalli
2024-01-31 16:15:05 +05:30
committed by Ravindra Konda
orang tua 8cc36ff7cf
melakukan 77e5284c7c
1 mengubah file dengan 3 tambahan dan 0 penghapusan
Download Patch File Download Diff File Expand all files Collapse all files

3
umac/scan/dispatcher/src/wlan_scan_utils_api.c
Melihat File

@@ -3347,6 +3347,9 @@ static bool util_scan_is_split_prof_found(uint8_t *next_elem,
{
uint8_t *next_mbssid_elem;
if ((next_elem + MIN_IE_LEN + VALID_ELEM_LEAST_LEN) > (ie + ielen))
return false;
if (next_elem[0] == WLAN_ELEMID_MULTIPLE_BSSID) {
if ((next_elem[TAG_LEN_POS] >= VALID_ELEM_LEAST_LEN) &&
(next_elem[SUBELEM_DATA_POS_FROM_MBSSID] !=