Out-of-bounds write in wlan driver at function __wlan_hdd_cfg80211_set_ext_roam_params (CVE-2017-0443)

Release Date: 
May 1, 2017
Advisory ID: 
QCIR-2017-00027-1
Summary: 

The following security vulnerabilities have been identified:

CVE-2017-0443

When processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor command, for the following roam commands there are input validation issues:

  • QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BSSID_PREFS
  • QCA_WLAN_VENDOR_ATTR_ROAM_SUBCMD_SET_BLACKLIST_BSSID

Both of these commands have a "number of BSSIDs" attribute as well as a list of BSSIDs. However there is no validation that the number of BSSIDs provided won't overflow the destination buffer. In addition there is no validation that the number of BSSIDs actually provided matches the number of BSSIDs expected.

Access Vector: Local
Security Risk: High
Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)

Affected Versions:

All Android releases from CAF using the Linux kernel.

Acknowledgement: 

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions: 

Initial revision

Contact: 
security-advisory@quicinc.com