diff options
author | Hai Shalom <haishalom@google.com> | 2019-02-04 12:53:10 -0800 |
---|---|---|
committer | Manjae Park <manjaepark@google.com> | 2019-03-12 19:34:29 -0700 |
commit | 89ba439bc81529ef9724133b0ff92cc97b2165a1 (patch) | |
tree | 8d928537a0169ed76fc156decbd0f8e8bf85f8bd | |
parent | 4db01a76ff74e92d367c1410ca3b831dc2d3d02f (diff) | |
download | wpa_supplicant_8-89ba439bc81529ef9724133b0ff92cc97b2165a1.tar.gz |
[wpa_supplicant] Fix security vulnerability wpa_supplicant/wnm_sta.c:376android-security-9.0.0_r64android-security-9.0.0_r63android-security-9.0.0_r62android-9.0.0_r61android-9.0.0_r60android-9.0.0_r59android-9.0.0_r58android-9.0.0_r57android-9.0.0_r56android-9.0.0_r55android-9.0.0_r54android-9.0.0_r53android-9.0.0_r52android-9.0.0_r51android-9.0.0_r50android-9.0.0_r49android-9.0.0_r48security-pi-release
Fix Security Vulnerability - Security Report - [Out of bounds read in
wnm_parse_neighbor_report_elem in external/wpa_supplicant_8/wpa_supplicant/wnm_sta.c:376]
Bug: 122074159
Test: Connect to AP, run traffic
Test: Run poc_wnm_sta_376 on device, comfirm new error message appears
Change-Id: If0ff673d2536135469144ee69b3f4e1831be73bf
(cherry picked from commit cb95c3f41acb3bcdd6477b59f945554bc1849465)
(cherry picked from commit 5e6e3f710fd8f317f479fc9b7a5bfed1bef89f9f)
-rw-r--r-- | wpa_supplicant/wnm_sta.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c index 28346ea9..3e27f0c2 100644 --- a/wpa_supplicant/wnm_sta.c +++ b/wpa_supplicant/wnm_sta.c @@ -373,6 +373,10 @@ static void wnm_parse_neighbor_report_elem(struct neighbor_report *rep, rep->preference_present = 1; break; case WNM_NEIGHBOR_BSS_TERMINATION_DURATION: + if (elen < 10) { + wpa_printf(MSG_DEBUG, "WNM: Too short bss_term_tsf"); + break; + } rep->bss_term_tsf = WPA_GET_LE64(pos); rep->bss_term_dur = WPA_GET_LE16(pos + 8); rep->bss_term_present = 1; |