espressif/esp-idf
1
0
Fork 1
mirror of https://github.com/espressif/esp-idf.git synced 2025-10-04 02:50:58 +02:00
Code Issues Packages Projects Releases Wiki Activity

Avoid undefined behavior in RSNXE capability bit checker

Browse Source 
Integer promotion converts u8 rsnxe[i] to an int which is not
sufficiently large to be able to handle the maximum shift left of 24
bits here. Type cast rsnxe[i] to u32 explicitly to get rid of the sign
bit and avoid this undefined behavior from the shift operation.

Credit to OSS-Fuzz: https://issues.oss-fuzz.com/issues/376786400
Fixes: d675d3b15b40 ("Add helper functions for parsing RSNXE capabilities")
Signed-off-by: Jouni Malinen <quic_jouni@quicinc.com>
This commit is contained in:
Jouni Malinen
2024-11-01 21:58:07 +02:00
committed by Kapil Gupta
parent 22a15585fd
commit c3d6a1ce73
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
components/wpa_supplicant/src/common/ieee802_11_common.c
View File

@@ -521,7 +521,7 @@ bool ieee802_11_rsnx_capab_len(const u8 *rsnxe, size_t rsnxe_len,
if (flen > 4) if (flen > 4)
flen = 4; flen = 4;
for (i = 0; i < flen; i++) for (i = 0; i < flen; i++)
capabs |= rsnxe[i] << (8 * i); capabs |= (u32) rsnxe[i] << (8 * i);
return capabs & BIT(capab); return capabs & BIT(capab);
} }