Google Git
Sign in
android / kernel / msm-modules / qcacld / 52e5a672f1bc3fb8c6596705c1f174a18750d340
commit52e5a672f1bc3fb8c6596705c1f174a18750d340[log] [tgz]
authorJyoti Kumari <jyotkuma@codeaurora.org>Fri Jan 29 12:59:07 2021 +0530
committerHsiu Chang Chen <hsiuchangchen@google.com>Thu Jul 29 08:38:52 2021 +0000
tree84a3a5d6a4cfdc868e9ef7b7ca42ed225f3cdc11
parentc9041ea243a7d6da38365c00e51bd1cf2f443732 [diff]
qcacld-3.0: Fix integer underflow in assoc response frame

In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.

Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.

Bug: 193070701
Test: Regression tests
Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
1 file changed
tree: 84a3a5d6a4cfdc868e9ef7b7ca42ed225f3cdc11
  1. components/
  2. configs/
  3. core/
  4. os_if/
  5. uapi/
  6. Android.mk
  7. Kbuild
  8. Kconfig
  9. Makefile
  10. OWNERS
  11. README.txt