tag ad2accee3778e82e36e2cf64ac53f16f20fca6fc
tagger The Android Open Source Project <initial-contribution@android.com> Mon May 03 16:11:09 2021 -0700
object 6c15c96c32ad9889f1217d0a013b0d6f6bded0d1

Android Security 8.1.0 Release 88 (7249334)

commit 6c15c96c32ad9889f1217d0a013b0d6f6bded0d1
author Jimmy Chen <jimmycmchen@google.com> Mon Nov 09 11:43:12 2020 +0200
committer Huizi Yang <yanghuiz@google.com> Wed Dec 09 15:51:06 2020 -0800
tree 7918a06dd354df29071ed9c4b02ab6b3a2c697f4
parent 8ca106502bd1f3634781d5925629f7e8de89eda5

P2P: Fix copying of secondary device types for P2P group client

Parsing and copying of WPS secondary device types list was verifying
that the contents is not too long for the internal maximum in the case
of WPS messages, but similar validation was missing from the case of P2P
group information which encodes this information in a different
attribute. This could result in writing beyond the memory area assigned
for these entries and corrupting memory within an instance of struct
p2p_device. This could result in invalid operations and unexpected
behavior when trying to free pointers from that corrupted memory.

Credit to OSS-Fuzz: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=27269
Fixes: e57ae6e19edf ("P2P: Keep track of secondary device types for peers")
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>

Bug: 172937525
Test: add malformed vendor element config in p2p_supplicant.conf
Change-Id: I6837931dcd3be01e68dc93d79ec1f874063fcae3
Merged-In: I6837931dcd3be01e68dc93d79ec1f874063fcae3
(cherry picked from commit 5133d78464e2b44f00b7956458ea23892a2c85c6)