[wpa_supplicant] Fix security vulnerability wpa_supplicant/wnm_sta.c:376 Fix Security Vulnerability - Security Report - [Out of bounds read in wnm_parse_neighbor_report_elem in external/wpa_supplicant_8/wpa_supplicant/wnm_sta.c:376] Bug: 122074159 Test: Connect to AP, run traffic Test: Run poc_wnm_sta_376 on device, comfirm new error message appears Change-Id: If0ff673d2536135469144ee69b3f4e1831be73bf (cherry picked from commit cb95c3f41acb3bcdd6477b59f945554bc1849465) (cherry picked from commit 5e6e3f710fd8f317f479fc9b7a5bfed1bef89f9f)

commit: 040d17d5d835cc4653e47b120e40975fc37fce95 [log] [tgz]
author: Hai Shalom <haishalom@google.com> Mon Feb 04 12:53:10 2019 -0800
committer: android-build-team Robot <android-build-team-robot@google.com> Wed Mar 13 18:01:38 2019 +0000
tree: d66fa1e18f4737b6013e6ac0a2ea494988ec3ce9
parent: 2bbb11cdbe2749db2f689c7e2a52ebb78a34b30c [diff]
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 28346ea..3e27f0c 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c

@@ -373,6 +373,10 @@
 		rep->preference_present = 1;
 		break;
 	case WNM_NEIGHBOR_BSS_TERMINATION_DURATION:
+		if (elen < 10) {
+			wpa_printf(MSG_DEBUG, "WNM: Too short bss_term_tsf");
+			break;
+		}
 		rep->bss_term_tsf = WPA_GET_LE64(pos);
 		rep->bss_term_dur = WPA_GET_LE16(pos + 8);
 		rep->bss_term_present = 1;
commit	040d17d5d835cc4653e47b120e40975fc37fce95	[log] [tgz]
author	Hai Shalom <haishalom@google.com>	Mon Feb 04 12:53:10 2019 -0800
committer	android-build-team Robot <android-build-team-robot@google.com>	Wed Mar 13 18:01:38 2019 +0000
tree	d66fa1e18f4737b6013e6ac0a2ea494988ec3ce9
parent	2bbb11cdbe2749db2f689c7e2a52ebb78a34b30c [diff]