From b1b58c120fd1c9eeeaa0cc59da8b83e2fa067e1b Mon Sep 17 00:00:00 2001 From: Hai Shalom Date: Mon, 4 Feb 2019 12:53:10 -0800 Subject: Fix security vulnerability wpa_supplicant/wnm_sta.c:376 Fix Security Vulnerability - Security Report - [Out of bounds read in wnm_parse_neighbor_report_elem in external/wpa_supplicant_8/wpa_supplicant/wnm_sta.c:376] Bug: 122074159 Test: Connect to AP, run traffic Test: Run poc_wnm_sta_376 on device, comfirm new error message appears Change-Id: If0ff673d2536135469144ee69b3f4e1831be73bf (cherry picked from commit cb95c3f41acb3bcdd6477b59f945554bc1849465) (cherry picked from commit 5e6e3f710fd8f317f479fc9b7a5bfed1bef89f9f) --- wpa_supplicant/wnm_sta.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c index bd0b5172..05b9f6c2 100644 --- a/wpa_supplicant/wnm_sta.c +++ b/wpa_supplicant/wnm_sta.c @@ -373,6 +373,10 @@ static void wnm_parse_neighbor_report_elem(struct neighbor_report *rep, rep->preference_present = 1; break; case WNM_NEIGHBOR_BSS_TERMINATION_DURATION: + if (elen < 10) { + wpa_printf(MSG_DEBUG, "WNM: Too short bss_term_tsf"); + break; + } rep->bss_term_tsf = WPA_GET_LE64(pos); rep->bss_term_dur = WPA_GET_LE16(pos + 8); rep->bss_term_present = 1; -- cgit v1.2.3