qcacld-3.0: Avoid OOB read in dot11f_unpack_assoc_response

Avoid OOB read in dot11f_unpack_assoc_response API. Add check for when nBuf == len to read another byte of pBufRemaining. Change-Id: Iccdb0b268d16f4169b8b701ade6085d47897f785 CRs-Fixed: 3042293 Bug: 218337597
author: Gururaj Pandurangi <panduran@codeaurora.org> 2021-10-25 17:19:51 -0700
committer: Paul Chen <chenpaul@google.com> 2022-03-01 02:14:36 +0000
commit: da5e7c9d1c299587a2e2b34772ff336a7f7a5760 (patch)
tree: 0c001e915d4328c0db29fb82b1d5f55dc43cfc3b
parent: 077d56ad1a8bf834ee45315d1793d8717b59cff5 (diff)
download: qcacld-da5e7c9d1c299587a2e2b34772ff336a7f7a5760.tar.gz
1 files changed, 1 insertions, 1 deletions
diff --git a/core/mac/src/sys/legacy/src/utils/src/dot11f.c b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
index ea103d9e75..aea111f427 100644
--- a/core/mac/src/sys/legacy/src/utils/src/dot11f.c
+++ b/core/mac/src/sys/legacy/src/utils/src/dot11f.c
@@ -335,7 +335,7 @@ static uint32_t get_container_ies_len(tpAniSirGlobal pCtx,
 	len += *(pBufRemaining+1);
 	pBufRemaining += len + 2;
 	len += 2;
-	while (len < nBuf) {
+	while (len + 1 < nBuf) {
 		pIe = find_ie_defn(pCtx, pBufRemaining, nBuf - len, IEs);
 		if (NULL == pIe)
 			break;
author	Gururaj Pandurangi <panduran@codeaurora.org>	2021-10-25 17:19:51 -0700
committer	Paul Chen <chenpaul@google.com>	2022-03-01 02:14:36 +0000
commit	da5e7c9d1c299587a2e2b34772ff336a7f7a5760 (patch)
tree	0c001e915d4328c0db29fb82b1d5f55dc43cfc3b
parent	077d56ad1a8bf834ee45315d1793d8717b59cff5 (diff)
download	qcacld-da5e7c9d1c299587a2e2b34772ff336a7f7a5760.tar.gz