refs/tags/android-s-v2-beta-2_r0.2 - kernel/msm-modules/qcacld

tag	aaba90267633bc94b925c21e8edb87ff850cd338
tagger	The Android Open Source Project <initial-contribution@android.com>	Wed Jan 12 16:28:38 2022 -0800
object	0f35e379ca22b967e9ec7adef377eaaf501ffc76

Android S v2 Beta 2 Release 0.2 (S2B2.211203.006,coral/flame)

commit	0f35e379ca22b967e9ec7adef377eaaf501ffc76	[log] [tgz]
author	Aditya Kodukula <quic_akodukul@quicinc.com>	Wed Sep 29 13:38:44 2021 +0530
committer	chenpaul <chenpaul@google.com>	Mon Oct 25 17:04:18 2021 +0800
tree	17a6554b8c9ec1078641e04c1ab68807e713d48e
parent	f1aead25d8d8b78afac6726690c283ef18c5d49b [diff]

qcacld-3.0: Fix possible OOB in unpack_tlv_core

Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.

Fix is to validate the nBufRemaining size before calling
framesntohs().

Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
Bug: 202465127
CRs-Fixed: 3042282
Signed-off-by: Aditya Kodukula <quic_akodukul@quicinc.com>

2 files changed

tree: 17a6554b8c9ec1078641e04c1ab68807e713d48e