lisa/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
228645aa79
android_kernel_xiaomi_sm8350/core
History
Vignesh Viswanathan 228645aa79 qcacld-3.0: Validate TLV length in FILS wrapped data before processing 
While processing FILS EAP TLVs present in FILS wrapped data in Auth Frame,
the tlv->length from the frame is used as the length to copy the buffer
into the FILS auth info without validating if the received buffer
length is at least greater than the length value in the TLV buffer.
This would lead to OOB read if the TLV length present in the frame is
greater than the actual data_len of the FILS wrapped data.

Add sanity check to return error if tlv->length is greater than wrapped
data_len + 2 with 2 bytes for the TLV header.

Change-Id: Ibe1183c8e318ceb75db6278c935786322a029d5c
CRs-Fixed: 2245944
2018-06-08 10:11:54 -07:00
..
bmi qcacld-3.0: bmi: Fix misspellings 2018-05-16 18:01:27 -07:00
cds qcacld-3.0: Featurize packet log 2018-06-06 23:49:08 -07:00
dp qcacld-3.0: Incorrect message offset validations in t2h message handling 2018-06-08 10:11:36 -07:00
hdd qcacld-3.0: Make channel list dynamic 2018-06-08 10:11:50 -07:00
mac qcacld-3.0: Validate TLV length in FILS wrapped data before processing 2018-06-08 10:11:54 -07:00
pld qcacld-3.0: Check if sdio device is valid before start wifi 2018-06-07 21:08:36 -07:00
sap qcacld-3.0: Choose appropriate bandwidth while channel switch 2018-06-08 10:11:46 -07:00
sme qcacld-3.0: Make channel list dynamic 2018-06-08 10:11:50 -07:00
wma qcacld-3.0: Make channel list dynamic 2018-06-08 10:11:50 -07:00