Google Git
Sign in
android / kernel / msm-modules / qcacld / 93bd2df200cde2c6c9494d6f5c0bac3822fb6401
commit93bd2df200cde2c6c9494d6f5c0bac3822fb6401[log] [tgz]
authorJyoti Kumari <jyotkuma@codeaurora.org>Fri Jan 29 12:59:07 2021 +0530
committerIsaac Chiou <isaacchiou@google.com>Thu Jul 29 12:44:41 2021 +0000
tree856fa0de683097fbccd0291cc90fc468ed3ae1f2
parent187ef758e2e74f24d73997b2dfa5080d7031bfcc [diff]
qcacld-3.0: Fix integer underflow in assoc response frame

In func aead_decrypt_assoc_rsp(), it calls
find_ie_data_after_fils_session_ie() to find IE pointer after
FILS session IE from the frame payload.
There is possibility of integer underflow if frame payload length is
less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value
of buf_len variable in find_ie_data_after_fils_session_ie() and
cause OOB during parsing process.

Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP,
if it is less then return failure.

Bug: 193070701
Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af
CRs-Fixed: 2859024
1 file changed
tree: 856fa0de683097fbccd0291cc90fc468ed3ae1f2
  1. core/
  2. uapi/
  3. Android.mk
  4. Kbuild
  5. Kconfig
  6. Makefile
  7. OWNERS
  8. README.txt