RDKB-65853 Fixing coverity issue#1242
Open
bharathivelp wants to merge 1 commit into
Open
Conversation
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses Coverity findings in the WiFi control plane by adding additional bounds checking when receiving/parsing management frames, aiming to prevent out-of-bounds access during frame handling.
Changes:
- Added a maximum-length guard for received management frames in
mgmt_wifi_frame_recv()(HAL v3 path). - Added bounds checks in GAS Initial Request parsing to prevent query data from exceeding the frame buffer.
- Adjusted the
push_event_to_ctrl_queue()call site in the HAL v3 path to pass the frame struct pointer directly.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
bharathivelp
force-pushed
the
fix/vulnerability1_2
branch
from
July 1, 2026 13:17
5fbb008 to
bcd358b
Compare
bharathivelp
force-pushed
the
fix/vulnerability1_2
branch
from
July 10, 2026 07:39
bcd358b to
6870c00
Compare
bharathivelp
force-pushed
the
fix/vulnerability1_2
branch
from
July 10, 2026 09:35
6870c00 to
c85ea7d
Compare
Reason for change: Fixing coverity issues. Test Procedure: Build should be successful and the regression test should also succeed Risks: Low Priority: P1 Signed-off-by: Velpula_Bharathi@comcast.com
bharathivelp
force-pushed
the
fix/vulnerability1_2
branch
from
July 13, 2026 09:41
c85ea7d to
373186c
Compare
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.
Comments suppressed due to low confidence (1)
source/core/wifi_ctrl.c:1309
get_gas_init_frame_evt_params()reads fields fromframe(e.g.,adv_proto_elem->id/len) before validating thatlenis large enough to contain awifi_gasInitialRequestFrame_t. If a malformed/short frame is passed in, this can trigger out-of-bounds reads and undefined behavior before the later bounds checks run. Add an earlylen(and null-arg) validation before computingframe_endand dereferencing the struct.
unsigned char *frame_end = frame + len;
wifi_advertisementProtoElement_t *adv_proto_elem;
wifi_advertisementProtoTuple_t *adv_tuple;
const char dpp_oui[3] = {0x50, 0x6f, 0x9a};
wifi_gasInitialRequestFrame_t *pgas_req = (wifi_gasInitialRequestFrame_t *)frame;
verann462
reviewed
Jul 13, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Reason for change: Fixing high medium priority coverity issues.
Test Procedure: Build should be successful and the regression test should also succeed.
Risks: Low
Priority: P1
Signed-off-by: Velpula_Bharathi@comcast.com