android_kernel_xiaomi_sm8350

History

Pragaspathi Thilagaraj 2d1b311af2 qcacld-3.0: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie In the function lim_chk_n_process_wpa_rsn_ie, if wpa IE is present, then dot11f_unpack_ie_wpa is called to copy the wpa IE to destination buffer. assoc_req->wpa.length is passed as the length to copy the IE. As this length includes 4 bytes of the OUI fields also, this could result in OOB read. Change the length passed to the dot11f_unpack_ie_wpa as (assoc_req->wpa.length - 4), so that the additional 4 bytes of the OUI fields are excluded. Change-Id: If972b3a19d239bb955c7b4d4c7d94e25aa878f21 CRs-Fixed: 2267557	2018-07-21 03:35:33 -07:00
..
inc	qcacld-3.0: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie	2018-07-21 03:35:33 -07:00
src	qcacld-3.0: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie	2018-07-21 03:35:33 -07:00

Pragaspathi Thilagaraj 2d1b311af2 qcacld-3.0: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie

In the function lim_chk_n_process_wpa_rsn_ie, if wpa IE is
present, then dot11f_unpack_ie_wpa is called to copy the wpa IE
to destination buffer. assoc_req->wpa.length is passed as the
length to copy the IE. As this length includes 4 bytes of the
OUI fields also, this could result in OOB read.

Change the length passed to the dot11f_unpack_ie_wpa as
(assoc_req->wpa.length - 4), so that the additional 4 bytes of
the OUI fields are excluded.

Change-Id: If972b3a19d239bb955c7b4d4c7d94e25aa878f21
CRs-Fixed: 2267557

2018-07-21 03:35:33 -07:00

inc

qcacld-3.0: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie

2018-07-21 03:35:33 -07:00

src

qcacld-3.0: Fix possible OOB in lim_chk_n_process_wpa_rsn_ie

2018-07-21 03:35:33 -07:00