Evolution-X-Devices/kernel_nothing_sm7325
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

qcacmn: Fix OOB Read in util_gen_new_ie

Browse Source 
In util_gen_new_ie, there is a possible out-of-bound read due to a missing
length check for extended IEs in the final pass over the copied
subelements.
Fix is to check tmp_new[1] is not zero.

Change-Id: Ic393d699a208bb54ff645bd8d2424b84becf5543
CRs-Fixed: 3924648
This commit is contained in:
Jianmin Zhu
2024-09-20 19:02:42 -07:00
committed by Michael Bestas
parent 46db8e981e
commit 1b4505ee95
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
drivers/staging/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c
View File

@@ -2167,7 +2167,7 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen,
if (!(tmp_new[0] == WLAN_ELEMID_NONTX_BSSID_CAP ||
tmp_new[0] == WLAN_ELEMID_SSID ||
tmp_new[0] == WLAN_ELEMID_MULTI_BSSID_IDX ||
((tmp_new[0] == WLAN_ELEMID_EXTN_ELEM) &&
((tmp_new[0] == WLAN_ELEMID_EXTN_ELEM) && tmp_new[1] &&
(tmp_new[2] == WLAN_EXTN_ELEMID_NONINHERITANCE)))) {
if ((pos + tmp_new[1] + MIN_IE_LEN) <=
(new_ie + ielen)) {