[wpa_supplicant] Fix security vulnerability wpa_supplicant/wnm_sta.c:376
Fix Security Vulnerability - Security Report - [Out of bounds read in
wnm_parse_neighbor_report_elem in external/wpa_supplicant_8/wpa_supplicant/wnm_sta.c:376]
Bug: 122074159
Test: Connect to AP, run traffic
Test: Run poc_wnm_sta_376 on device, comfirm new error message appears
Change-Id: If0ff673d2536135469144ee69b3f4e1831be73bf
(cherry picked from commit cb95c3f41acb3bcdd6477b59f945554bc1849465)
(cherry picked from commit 5e6e3f710fd8f317f479fc9b7a5bfed1bef89f9f)
diff --git a/wpa_supplicant/wnm_sta.c b/wpa_supplicant/wnm_sta.c
index 28346ea..3e27f0c 100644
--- a/wpa_supplicant/wnm_sta.c
+++ b/wpa_supplicant/wnm_sta.c
@@ -373,6 +373,10 @@
rep->preference_present = 1;
break;
case WNM_NEIGHBOR_BSS_TERMINATION_DURATION:
+ if (elen < 10) {
+ wpa_printf(MSG_DEBUG, "WNM: Too short bss_term_tsf");
+ break;
+ }
rep->bss_term_tsf = WPA_GET_LE64(pos);
rep->bss_term_dur = WPA_GET_LE16(pos + 8);
rep->bss_term_present = 1;