[lineage-17.1] Android Security Bulletin 2020-08 #3
Commits on Aug 3, 2020
-
qcacld-3.0: Validate assoc response IE len before copy
When host sends ft assoc response to supplicant, it allocates a buffer of fixed size and copies a variable length of assoc response IEs to this fixed sized buffer. There is a possibility of OOB write to the allocated buffer if the assoc response IEs length is greater than the allocated buffer size. To avoid above issue validate the assoc response IEs length with the allocated buffer size before data copy to the buffer. Change-ID: Ife9c2071a8cc4a2918b9f349f4024478f94b2d78 CRs-Fixed: 2575144
-
qcacld-3.0: Fix while condition in rrm_fill_beacon_ies()
In function rrm_fill_beacon_ies, do while loop is checked for BcnNumIes if it is greater than IE length 0. Fix the check to be greater than 2 as the first two bytes is IE header(element ID and IE length fields both 1 byte each.) Change-Id: I11e5de481cd49a22acafee938fbe73f839f5b0e4 CRs-Fixed: 2626729
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.