From 1b4505ee95bc480d4133fe6ca36316d64ae5523b Mon Sep 17 00:00:00 2001
From: Jianmin Zhu <quic_jianminz@quicinc.com>
Date: Fri, 20 Sep 2024 19:02:42 -0700
Subject: [PATCH] qcacmn: Fix OOB Read in util_gen_new_ie

In util_gen_new_ie, there is a possible out-of-bound read due to a missing
length check for extended IEs in the final pass over the copied
subelements.
Fix is to check tmp_new[1] is not zero.

Change-Id: Ic393d699a208bb54ff645bd8d2424b84becf5543
CRs-Fixed: 3924648
---
 .../umac/scan/dispatcher/src/wlan_scan_utils_api.c              | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/drivers/staging/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/drivers/staging/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c
index de03b1eb334c..4c1d4a9270f0 100644
--- a/drivers/staging/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/drivers/staging/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c
@@ -2167,7 +2167,7 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen,
 		if (!(tmp_new[0] == WLAN_ELEMID_NONTX_BSSID_CAP ||
 		      tmp_new[0] == WLAN_ELEMID_SSID ||
 		      tmp_new[0] == WLAN_ELEMID_MULTI_BSSID_IDX ||
-		      ((tmp_new[0] == WLAN_ELEMID_EXTN_ELEM) &&
+		      ((tmp_new[0] == WLAN_ELEMID_EXTN_ELEM) && tmp_new[1] &&
 		       (tmp_new[2] == WLAN_EXTN_ELEMID_NONINHERITANCE)))) {
 			if ((pos + tmp_new[1] + MIN_IE_LEN) <=
 			    (new_ie + ielen)) {