Integer Overflow and Buffer Overflow Vulnerability in wma_radio_chan_stats_event_handler()

Integer Overflow and Buffer Overflow Vulnerability in wma_radio_chan_stats_event_handler()

CVE-2017-15854 · MEDIUM Severity

AV:L/AC:L/AU:N/C:P/I:P/A:P

The value of fix_param->num_chans is received from firmware and if it is too large, an integer overflow can occur in wma_radio_chan_stats_event_handler() for the derived length len leading to a subsequent buffer overflow in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.

Learn more about our Cis Benchmark Audit For Distribution Independent Linux.