Skip to content

RDKB-65853 Fixing coverity issue#1242

Open
bharathivelp wants to merge 1 commit into
rdkcentral:developfrom
bharathivelp:fix/vulnerability1_2
Open

RDKB-65853 Fixing coverity issue#1242
bharathivelp wants to merge 1 commit into
rdkcentral:developfrom
bharathivelp:fix/vulnerability1_2

Conversation

@bharathivelp

Copy link
Copy Markdown
Contributor

Reason for change: Fixing high medium priority coverity issues.
Test Procedure: Build should be successful and the regression test should also succeed.

Risks: Low
Priority: P1
Signed-off-by: Velpula_Bharathi@comcast.com

@bharathivelp
bharathivelp requested a review from a team as a code owner July 1, 2026 12:46
Copilot AI review requested due to automatic review settings July 1, 2026 12:46

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Coverity findings in the WiFi control plane by adding additional bounds checking when receiving/parsing management frames, aiming to prevent out-of-bounds access during frame handling.

Changes:

  • Added a maximum-length guard for received management frames in mgmt_wifi_frame_recv() (HAL v3 path).
  • Added bounds checks in GAS Initial Request parsing to prevent query data from exceeding the frame buffer.
  • Adjusted the push_event_to_ctrl_queue() call site in the HAL v3 path to pass the frame struct pointer directly.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread source/core/wifi_ctrl.c Outdated
Comment thread source/core/wifi_ctrl.c Outdated
Comment thread source/core/wifi_ctrl.c

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread source/core/wifi_ctrl.c Outdated
Copilot AI review requested due to automatic review settings July 10, 2026 07:39
@bharathivelp
bharathivelp force-pushed the fix/vulnerability1_2 branch from bcd358b to 6870c00 Compare July 10, 2026 07:39

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread source/core/wifi_ctrl.c Outdated
Copilot AI review requested due to automatic review settings July 10, 2026 09:35
@bharathivelp
bharathivelp force-pushed the fix/vulnerability1_2 branch from 6870c00 to c85ea7d Compare July 10, 2026 09:35

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread source/core/wifi_ctrl.c Outdated
Reason for change: Fixing coverity issues.
Test Procedure: Build should be successful and the regression test should also succeed
Risks: Low
Priority: P1
Signed-off-by: Velpula_Bharathi@comcast.com
Copilot AI review requested due to automatic review settings July 13, 2026 09:41
@bharathivelp
bharathivelp force-pushed the fix/vulnerability1_2 branch from c85ea7d to 373186c Compare July 13, 2026 09:41

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated no new comments.

Comments suppressed due to low confidence (1)

source/core/wifi_ctrl.c:1309

  • get_gas_init_frame_evt_params() reads fields from frame (e.g., adv_proto_elem->id/len) before validating that len is large enough to contain a wifi_gasInitialRequestFrame_t. If a malformed/short frame is passed in, this can trigger out-of-bounds reads and undefined behavior before the later bounds checks run. Add an early len (and null-arg) validation before computing frame_end and dereferencing the struct.
    unsigned char *frame_end = frame + len;
    wifi_advertisementProtoElement_t *adv_proto_elem;
    wifi_advertisementProtoTuple_t *adv_tuple;
    const char dpp_oui[3] = {0x50, 0x6f, 0x9a};
    wifi_gasInitialRequestFrame_t *pgas_req = (wifi_gasInitialRequestFrame_t *)frame;

Comment thread source/core/wifi_ctrl.c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants