qcacld-3.0: Fix possible OOB in unpack_tlv_core

Currently in unpack_tlv_core(), nBufRemaining is validated
after calling framesntohs API. Since, framesntohs() copies
pIn address to pOut address with length = 2 bytes as below.
DOT11F_MEMCPY(pCtx, (uint16_t *)pOut, pIn, 2);
which could cause OOB issue if pIn contains less than 2 bytes.

Fix is to validate the nBufRemaining size before calling
framesntohs().

Change-Id: I3ead03ec948282a410ddba5b01f82ca31d3d9199
CRs-Fixed: 3042282

0 files changed, 0 insertions, 0 deletions