Possible integer overflow to buffer overflow in QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE (CVE-2017-0441)

Release Date: 
May 1, 2017
Advisory ID: 
QCIR-2017-00029-1
Summary: 

The following security vulnerabilities have been identified:
 
CVE-2017-0441
The wlan driver supports the vendor command QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE, which supplies a "number of APs" attribute as well as a list of per-AP attributes. However there is no validation that the number of APs provided won't overflow the destination buffer. In addition there is no validation that the number of APs actually provided matches the number of APs expected.

Access Vector: Local
Security Risk: High
Vulnerability: CWE-680 Integer Overflow to Buffer Overflow

Affected Versions:
All Android releases from CAF using the Linux kernel.

Patch: 
Acknowledgement: 

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions: 

Initial revision 

Contact: 
security-advisory@quicinc.com