qcacld-3.0: Avoid OOB read in dot11f_unpack_assoc_response

Avoid OOB read in dot11f_unpack_assoc_response API. Add check for when nBuf == len to read another byte of pBufRemaining. Bug: 218337597 Change-Id: Iccdb0b268d16f4169b8b701ade6085d47897f785 CRs-Fixed: 3042293 Signed-off-by: Vinay Gannevaram <quic_vganneva@quicinc.com>
author: Vinay Gannevaram <quic_vganneva@quicinc.com> 2021-10-25 17:19:51 -0700
committer: Isaac Chiou <isaacchiou@google.com> 2022-03-08 02:44:17 +0000
commit: 0a25482c67e9747de3436fffcc46fca61e5b374e (patch)
tree: 8ac6af001f49dc0d0fae4c049c6880131ef77ee8
parent: 4a28131dc5fe5f46dc63f7111d4e6ec702c017ee (diff)
download: qcacld-0a25482c67e9747de3436fffcc46fca61e5b374e.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
index c31a520319..0ed0385e12 100644
--- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
@@ -344,7 +344,7 @@ static uint32_t get_container_ies_len(tpAniSirGlobal pCtx,
 	len += *(pBufRemaining+1);
 	pBufRemaining += len + 2;
 	len += 2;
-	while (len < nBuf) {
+	while (len + 1 < nBuf) {
 		pIe = find_ie_defn(pCtx, pBufRemaining, nBuf - len, IEs);
 		if (NULL == pIe)
 			break;
author	Vinay Gannevaram <quic_vganneva@quicinc.com>	2021-10-25 17:19:51 -0700
committer	Isaac Chiou <isaacchiou@google.com>	2022-03-08 02:44:17 +0000
commit	0a25482c67e9747de3436fffcc46fca61e5b374e (patch)
tree	8ac6af001f49dc0d0fae4c049c6880131ef77ee8
parent	4a28131dc5fe5f46dc63f7111d4e6ec702c017ee (diff)
download	qcacld-0a25482c67e9747de3436fffcc46fca61e5b374e.tar.gz