qcacld-2.0: Possible OOB access in wlan_hdd_cfg80211_start_bss()
Propagation from qcacld-3.0 to qcacld-2.0 Currently in function wlan_hdd_cfg80211_start_bss(), copying supported rates and extended rates from information element pointer without checking for array bounds which may cause OOB access. To address this issue, add length checks before copying supported rates and extended rates. Change-Id: Ic6363e97bb3498a5dd23bc5e5f9b9f3ce093509d CRs-Fixed: 2427503 Bug: 112432329 Signed-off-by: Ahmed ElArabawy <arabawy@google.com> CVE-2019-10566
This commit is contained in:
parent
140141ef9d
commit
0e4954aaa5
|
@ -10720,6 +10720,11 @@ static void wlan_hdd_check_11gmode(u8 *pIe, u8* require_ht, u8* require_vht,
|
|||
{
|
||||
u8 i, num_rates = pIe[0];
|
||||
|
||||
if (num_rates > SIR_MAC_RATESET_EID_MAX) {
|
||||
hddLog(VOS_TRACE_LEVEL_ERROR, "Invalid supported rates %d", num_rates);
|
||||
return;
|
||||
}
|
||||
|
||||
pIe += 1;
|
||||
for ( i = 0; i < num_rates; i++)
|
||||
{
|
||||
|
|
Loading…
Reference in New Issue