refs/tags/android-12.0.0_r0.13 - kernel/msm-modules/qcacld

tag	5d2183c24de8b4ec9ac6fa2f0f71b8bfbdb9e5fd
tagger	The Android Open Source Project <initial-contribution@android.com>	Mon Nov 01 11:42:37 2021 -0700
object	116433d11acbfff63c13a58a4fd964995c8af839

Android 12.0.0 release 0.13

commit	116433d11acbfff63c13a58a4fd964995c8af839	[log] [tgz]
author	Jyoti Kumari <jyotkuma@codeaurora.org>	Fri Jan 29 12:59:07 2021 +0530
committer	Paul Chen <chenpaul@google.com>	Thu Jul 29 07:54:18 2021 +0000
tree	f9a858227e577848462fac21ef2415a3b73412d9
parent	5e1fc6aec3ed581cb7c76b9e46a7367dce0058ff [diff]

qcacld-3.0: Fix integer underflow in assoc response frame

In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.

Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.

Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
Bug: 193070701
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>

core/mac/src/pe/lim/lim_process_fils.c[diff]

1 file changed

tree: f9a858227e577848462fac21ef2415a3b73412d9