DigiGoon/android_kernel_xiaomi_sm8350
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

qcacld-3.0: Fix the possible OOB write in country IE unpack

Browse source 
Fix the possible OOB write in unpacking the country IE due to
the IE length check against integer division.

CRs-Fixed: 3910626
Change-Id: I800290ab7285fb46ed43a46ce38967046b4881fa
(cherry picked from commit 0002f9ddc9a6be3e34fe15e55f286b5794b29f08)
This commit is contained in:
Kiran Kumar Lokere 2024-09-09 16:07:29 -07:00 committed by Vivekananda T
parent f7ed2aac62
commit ccf6a7f542
2 changed files with 4 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
core/mac/src/include/dot11f.h
View file

@ -27,7 +27,7 @@
*
*
* This file was automatically generated by 'framesc'
* Tue Sep 3 23:04:38 2024 from the following file(s):
* Wed Sep 11 12:49:28 2024 from the following file(s):
*
* dot11f.frms
*

6
core/mac/src/sys/legacy/src/utils/src/dot11f.c
View file

@ -25,7 +25,7 @@
*
*
* This file was automatically generated by 'framesc'
* Tue Sep 3 23:04:38 2024 from the following file(s):
* Wed Sep 11 12:49:28 2024 from the following file(s):
*
* dot11f.frms
*
@ -134,7 +134,7 @@ typedef struct sIEDefn {
#define DOT11F_PARAMETER_CHECK2(pSrc, pBuf, nBuf, pnConsumed) \
do { \
if (!pSrc || IsBadReadPtr(pSrc, 4))\
eturn DOT11F_BAD_INPUT_BUFFER; \
return DOT11F_BAD_INPUT_BUFFER; \
if (!pBuf || IsBadWritePtr(pBuf, nBuf))\
return DOT11F_BAD_OUTPUT_BUFFER; \
if (!nBuf)\
@ -4131,7 +4131,7 @@ uint32_t dot11f_unpack_ie_country(tpAniSirGlobal pCtx,
return 0U;
} else {
pDst->num_more_triplets = (uint8_t)(ielen / 3);
if (ielen / 3 > 80) {
if (ielen > 80 * 3) {
pDst->present = 0;
return DOT11F_SKIPPED_BAD_IE;
}