Out-of-bounds write in wifi driver function hdd_extscan_passpoint_fill_network_list (CVE-2017-0439)

Release Date:

May 1, 2017

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2017-00028-1

CVE ID(s):

CVE-2017-0439

Summary:

The following security vulnerabilities have been identified: CVE-2017-0439 Currently when processing a passpoint vendor command the "num networks" attribute is limit checked and if it exceeds a MAX value then the command is rejected. Otherwise this value is used to calculate the size of the buffer allocated to hold the internal representation of the request. However later when the network attributes are parsed there is no check to make sure the number of networks processed does not exceed the "num networks" used to allocate memory, and as a result a buffer overflow can occur.

Access Vector: Local
Security Risk: Medium
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel

Patch:

We advise customers to apply the following patches:

Individual Patches
CVE-2017-0439:

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com