From 2408148c754fd712d874309e94f0c6e6355ddbdc Mon Sep 17 00:00:00 2001
From: Ahmed ElArabawy <arabawy@google.com>
Date: Wed, 8 Jan 2020 14:28:18 -0800
Subject: Handle IEs with Extension present and zero length

This commit handles malformed information elements  with Id
indicating extension is present, but with length of zero.
This is not a valid length since at least there should be one
octet to carry the extension id.

Bug: 147274004
Test: atest FrameworksWifiTests
Change-Id: I8d3af6cb5833849785fce2530788301e5c849968
---
 service/java/com/android/server/wifi/util/InformationElementUtil.java | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'service')

diff --git a/service/java/com/android/server/wifi/util/InformationElementUtil.java b/service/java/com/android/server/wifi/util/InformationElementUtil.java
index 3ee5d8c9f..a00cf3143 100644
--- a/service/java/com/android/server/wifi/util/InformationElementUtil.java
+++ b/service/java/com/android/server/wifi/util/InformationElementUtil.java
@@ -61,6 +61,10 @@ public class InformationElementUtil {
             if (eid == InformationElement.EID_SSID) {
                 found_ssid = true;
             } else if (eid == InformationElement.EID_EXTENSION_PRESENT) {
+                if (elementLength == 0) {
+                    // Malformed IE, skipping
+                    break;
+                }
                 eidExt = data.get() & Constants.BYTE_MASK;
                 elementLength--;
             }
-- 
cgit v1.2.3