qcacld-2.0: Fix possible OOB in limProcessAssocReqFrame

propagation from qcacld-3.0 to qcacld-2.0

In the function limProcessAssocReqFrame, if wpa IE is
present, then dot11fUnpackIeWPA is called to copy the wpa IE
to destination buffer. pAssocReq->wpa.length is passed as the
length to copy the IE. As this length includes 4 bytes of the
OUI fields also, this could result in OOB read.

Change the length passed to the dot11fUnpackIeWPA as
(pAssocReq->wpa.length - 4), so that the additional 4 bytes of
the OUI fields are excluded.

Change-Id: If972b3a19d239bb955c7b4d4c7d94e25aa878f21
CRs-Fixed: 2406159

0 files changed, 0 insertions, 0 deletions