samsung-sm8650/android_kernel_samsung_sm8650-modules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacld-3.0: Fix potential OOB read in lim_cu_info_from_rnr_per_link_id

Browse Source 
Currently while fetching the cu info from rnr, data length is checked only
for max rnr element which leads to possible out-of-bound reads with
invalid information elements.

Add fix to update the data length checks in the while loop to ensure
sufficient bytes are there.

CRs-Fixed: 3754687
Change-Id: I93f2fbc21fc5adfd848ebb27264cc18f7f553438
This commit is contained in:
Krupali Dhanvijay
2024-03-20 10:45:12 +05:30
committed by Ravindra Konda
parent b10bc753f3
commit dd1a568e13
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
core/mac/src/pe/lim/lim_mlo.c
View File

@@ -51,7 +51,7 @@ QDF_STATUS lim_cu_info_from_rnr_per_link_id(const uint8_t *rnr,
rnr_end = rnr + rnr[TAG_LEN_POS] + MIN_IE_LEN; rnr_end = rnr + rnr[TAG_LEN_POS] + MIN_IE_LEN;
data = rnr + PAYLOAD_START_POS; data = rnr + PAYLOAD_START_POS;
while (data < rnr_end) { while ((data + sizeof(struct neighbor_ap_info_field)) <= rnr_end) {
neighbor_ap_info = (struct neighbor_ap_info_field *)data; neighbor_ap_info = (struct neighbor_ap_info_field *)data;
tbtt_count = neighbor_ap_info->tbtt_header.tbtt_info_count; tbtt_count = neighbor_ap_info->tbtt_header.tbtt_info_count;
tbtt_len = neighbor_ap_info->tbtt_header.tbtt_info_length; tbtt_len = neighbor_ap_info->tbtt_header.tbtt_info_length;