android_kernel_zuk_msm8996.git

diff options

author	Jyoti Kumari <jyotkuma@codeaurora.org>	2021-01-29 12:59:07 +0530
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2021-04-29 09:18:38 -0700
commit	4751a437667d1eb18062e75ea6b67a4807241d07 (patch)
tree	07f9301f1fb458936308c15b6f92e460c84eb2af /lib/flex_array.c
parent	12a8f2b91a7179d845af2bb2399022ccb23ac51a (diff)

qcacld-3.0: Fix integer underflow in assoc response frame

In func aead_decrypt_assoc_rsp(), it calls find_ie_data_after_fils_session_ie() to find IE pointer after FILS session IE from the frame payload. There is possibility of integer underflow if frame payload length is less than FIXED_PARAM_OFFSET_ASSOC_RSP which may increase value of buf_len variable in find_ie_data_after_fils_session_ie() and cause OOB during parsing process. Validate frame payload length with FIXED_PARAM_OFFSET_ASSOC_RSP, if it is less then return failure. Change-Id: I78fbcfeaa1058fcf2a6fe47cd5c26390b54974af CRs-Fixed: 2859024

Diffstat (limited to 'lib/flex_array.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: