The following security vulnerabilities have been identified:
When processing the QCA_NL80211_VENDOR_SUBCMD_ROAM vendor command, for the following roam commands there are input validation issues:
Both of these commands have a "number of BSSIDs" attribute as well as a list of BSSIDs. However there is no validation that the number of BSSIDs provided won't overflow the destination buffer. In addition there is no validation that the number of BSSIDs actually provided matches the number of BSSIDs expected.
Access Vector: Local
Security Risk: High
Vulnerability: CWE-120 Buffer Copy Without Checking Size of Input (‘Classic Buffer Overflow’)
All Android releases from CAF using the Linux kernel.
We advise customers to apply the following patches:
This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.