diff options
author | Sunil Ravi <sunilravi@google.com> | 2023-04-03 23:01:54 +0000 |
---|---|---|
committer | Sunil Ravi <sunilravi@google.com> | 2023-04-04 01:29:57 +0000 |
commit | 1d9ae9a55470b894973457e3a4892a8820ca1bd7 (patch) | |
tree | 925ed59dfc4709af15ec179df928d7bc5fb73dfa | |
parent | a2e6c5066c4d43a262560cd614802a4549e613c6 (diff) | |
download | wpa_supplicant_8-android13-qpr3-c-s8-release.tar.gz |
Security fix for out of bound read in p2p_inviteandroid-13.0.0_r82android-13.0.0_r81android-13.0.0_r80android-13.0.0_r74android-13.0.0_r73android-13.0.0_r72android-13.0.0_r66android-13.0.0_r65android-13.0.0_r64android-13.0.0_r60android-13.0.0_r59android-13.0.0_r58android13-qpr3-c-s8-releaseandroid13-qpr3-c-s7-releaseandroid13-qpr3-c-s6-releaseandroid13-qpr3-c-s5-releaseandroid13-qpr3-c-s4-releaseandroid13-qpr3-c-s3-releaseandroid13-qpr3-c-s2-releaseandroid13-qpr3-c-s12-releaseandroid13-qpr3-c-s11-releaseandroid13-qpr3-c-s10-releaseandroid13-qpr3-c-s1-release
Check the p2p GO device address length before
sending the invite request to core supplicant.
Bug: 274443441
Test: Compile
Test: Manual - P2P persistent connection
Change-Id: I00f8ba9bea7bd36b52ae66250233230cac22ae83
Merged-In: I00f8ba9bea7bd36b52ae66250233230cac22ae83
(cherry picked from commit 947b5e2ed339224aa5f3751ca3b22370face0967)
-rw-r--r-- | wpa_supplicant/aidl/p2p_iface.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/wpa_supplicant/aidl/p2p_iface.cpp b/wpa_supplicant/aidl/p2p_iface.cpp index b0a2dbfa..adfd0dd7 100644 --- a/wpa_supplicant/aidl/p2p_iface.cpp +++ b/wpa_supplicant/aidl/p2p_iface.cpp @@ -1405,7 +1405,7 @@ ndk::ScopedAStatus P2pIface::inviteInternal( const std::vector<uint8_t>& peer_address) { struct wpa_supplicant* wpa_s = retrieveIfacePtr(); - if (peer_address.size() != ETH_ALEN) { + if (go_device_address.size() != ETH_ALEN || peer_address.size() != ETH_ALEN) { return {createStatus(SupplicantStatusCode::FAILURE_UNKNOWN)}; } if (wpas_p2p_invite_group( |