android_kernel_samsung_msm8976

History

bings 9354ce454d qcacld-2.0: Fix integer overflow in rrmFillBeaconIes() In function rrmFillBeaconIes, the total IE length is calculated as sum of length field of the IE and 2 (element id 1 bytr and IE length field 1 byte). The total IE length is defined of type uint16_t and will overflow if the *(pBcnIes + 1) = 0xfe. Validate the len against total IE length to avoid overfloa. Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88 CRs-Fixed: 2617005	2020-03-20 22:10:26 +01:00
..
rrmApi.c	qcacld-2.0: Fix integer overflow in rrmFillBeaconIes()	2020-03-20 22:10:26 +01:00

bings 9354ce454d qcacld-2.0: Fix integer overflow in rrmFillBeaconIes()

In function rrmFillBeaconIes, the total IE length is calculated
as sum of length field of the IE and 2 (element id 1 bytr and IE
length field 1 byte). The total IE length is defined of type
uint16_t and will overflow if the *(pBcnIes + 1) = 0xfe.

Validate the len against total IE length to avoid overfloa.
Change-Id: If8f86952ce43c5923906fc6ef18705f1785c5d88
CRs-Fixed: 2617005

2020-03-20 22:10:26 +01:00

rrmApi.c

qcacld-2.0: Fix integer overflow in rrmFillBeaconIes()

2020-03-20 22:10:26 +01:00