Possible integer overflow to buffer overflow in QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE (CVE-2017-0441)

Release Date:

May 1, 2017

Affected Projects:

Android for MSMFirefox OS for MSMQRD Android

Advisory ID:

QCIR-2017-00029-1

CVE ID(s):

CVE-2017-0441

Summary:

The following security vulnerabilities have been identified: CVE-2017-0441 The wlan driver supports the vendor command QCA_NL80211_VENDOR_SUBCMD_EXTSCAN_SET_SIGNIFICANT_CHANGE, which supplies a "number of APs" attribute as well as a list of per-AP attributes. However there is no validation that the number of APs provided won't overflow the destination buffer. In addition there is no validation that the number of APs actually provided matches the number of APs expected.

Access Vector: Local
Security Risk: High
Access Vector: Local

Affected Versions:

All Android releases from CAF using the Linux kernel

Patch:

We advise customers to apply the following patches:

Individual Patches
CVE-2017-0441

Acknowledgement:

This issue was reported to Google by an external security researcher. Qualcomm Innovation Center, Inc. (QuIC) thanks Google for bringing this issue to QuIC's attention.

Revisions:

Initial revision

Contact:

security-advisory@quicinc.com