android_kernel_xiaomi_sm8350

History

Abhishek Ambure 3d18b4c831 qcacld-3.0: Add max index check for dscp_to_up_map array In SME layer, boundary check for dscp_to_up_map array is not present. The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions are used to index dscpmapping. The indices are not validated to be less than 0x40. The dscp_exceptions array is received from association response frame. A malicious AP can send values up to 0xff, causing OOB write of dscpmapping array. Hence, max index check is added to avoid OOB write of dscpmapping array. Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e CRs-Fixed: 2569764	2019-12-10 00:50:20 -08:00
..
inc	qcacld-3.0: Add max index check for dscp_to_up_map array	2019-12-10 00:50:20 -08:00
src	qcacld-3.0: Add max index check for dscp_to_up_map array	2019-12-10 00:50:20 -08:00

Abhishek Ambure 3d18b4c831 qcacld-3.0: Add max index check for dscp_to_up_map array

In SME layer, boundary check for dscp_to_up_map array is not present.

The dscpmapping is an array of 0x40 elements. Values in dscp_exceptions
are used to index dscpmapping. The indices are not validated to be less
than 0x40. The dscp_exceptions array is received from association
response frame. A malicious AP can send values up to 0xff, causing OOB
write of dscpmapping array.

Hence, max index check is added to avoid OOB write of dscpmapping array.

Change-Id: I73526849677e867673fc0bd0024ed2b003e4f89e
CRs-Fixed: 2569764

2019-12-10 00:50:20 -08:00

inc

qcacld-3.0: Add max index check for dscp_to_up_map array

2019-12-10 00:50:20 -08:00

src

qcacld-3.0: Add max index check for dscp_to_up_map array

2019-12-10 00:50:20 -08:00