diff options
| author | Vignesh Viswanathan <viswanat@codeaurora.org> | 2018-05-29 10:27:51 +0530 |
|---|---|---|
| committer | Gerrit - the friendly Code Review server <code-review@localhost> | 2018-06-04 00:27:45 -0700 |
| commit | 481d44117c1a4314b7ace2f176ea7db75f4ece99 (patch) | |
| tree | 1d8094927a66731ead5fcfd1210b52eeed4c3422 /tools/perf/scripts | |
| parent | d02af1b676d5113445975f275afe7bbdb0396a7e (diff) | |
qcacld-3.0: Validate TLV length in FILS wrapped data before processing
While processing FILS EAP TLVs present in FILS wrapped data in Auth Frame,
the tlv->length from the frame is used as the length to copy the buffer
into the FILS auth info without validating if the received buffer
length is at least greater than the length value in the TLV buffer.
This would lead to OOB read if the TLV length present in the frame is
greater than the actual data_len of the FILS wrapped data.
Add sanity check to return error if tlv->length is greater than wrapped
data_len + 2 with 2 bytes for the TLV header.
Change-Id: Ibe1183c8e318ceb75db6278c935786322a029d5c
CRs-Fixed: 2245944
Diffstat (limited to 'tools/perf/scripts')
0 files changed, 0 insertions, 0 deletions