qcacmn: handle integer underflow in util_gen_new_ie

Handle integer underflow for subie_len in util_gen_new_ie Bug: 318454936 Test: Regression Test Change-Id: I2f73e5a7e0462100deae1e85e6a51f77bfc46b95 CRs-Fixed: 3582487 Signed-off-by: Hsiu-Chang Chen <hsiuchangchen@google.com>
author: Hsiu-Chang Chen <hsiuchangchen@google.com> 2023-08-11 00:13:30 -0700
committer: Hsiu-Chang Chen <hsiuchangchen@google.com> 2024-02-19 05:50:35 +0000
commit: 1e281aa58863d17b12cb4c5203e9ce4baf7a2e7e (patch)
tree: f4a7bf9ee92afd9f63e39fa76bb42e4fe0284014
parent: 77225ad48af10dee8905f5de7712bfc35a3afb14 (diff)
download: wlan-1e281aa58863d17b12cb4c5203e9ce4baf7a2e7e.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c b/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c
index 6156dfd..5349e16 100644
--- a/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c
+++ b/qca-wifi-host-cmn/umac/scan/dispatcher/src/wlan_scan_utils_api.c
@@ -2580,8 +2580,9 @@ static uint32_t util_gen_new_ie(uint8_t *ie, uint32_t ielen,
 	 * copied to new ie, skip ssid, capability, bssid-index ie
 	 */
 	tmp_new = sub_copy;
-	while (((tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy) <=
-	       subie_len) {
+	while ((subie_len > 0) &&
+	       (((tmp_new + tmp_new[1] + MIN_IE_LEN) - sub_copy) <=
+		(subie_len - 1))) {
 		if (!(tmp_new[0] == WLAN_ELEMID_NONTX_BSSID_CAP ||
 		      tmp_new[0] == WLAN_ELEMID_SSID ||
 		      tmp_new[0] == WLAN_ELEMID_MULTI_BSSID_IDX ||
author	Hsiu-Chang Chen <hsiuchangchen@google.com>	2023-08-11 00:13:30 -0700
committer	Hsiu-Chang Chen <hsiuchangchen@google.com>	2024-02-19 05:50:35 +0000
commit	1e281aa58863d17b12cb4c5203e9ce4baf7a2e7e (patch)
tree	f4a7bf9ee92afd9f63e39fa76bb42e4fe0284014
parent	77225ad48af10dee8905f5de7712bfc35a3afb14 (diff)
download	wlan-1e281aa58863d17b12cb4c5203e9ce4baf7a2e7e.tar.gz