diff options
author | Hervé Boisse <herve.boisse@qorvo.com> | 2022-09-08 16:06:09 +0200 |
---|---|---|
committer | Victor Liu <victorliu@google.com> | 2022-09-08 19:10:57 +0000 |
commit | 027a332ccad7cbdf8fed90970b3c9923fc71c7d1 (patch) | |
tree | bc7d7c335c4e4ce14ebaecaecad6ace29c8859ab | |
parent | 0e80d4cc9397ae7f1e7e8c762b566807ca1f2fe7 (diff) | |
download | uwb-027a332ccad7cbdf8fed90970b3c9923fc71c7d1.tar.gz |
mac: fix potential buffer overflow on rx SP0 frame operation
Bug: 245410125
Signed-off-by: Clément Viel <clement.viel@qorvo.com>
Change-Id: I9f6d48c2cb1b6d832e5a317ac49dc8287aeaf250
-rw-r--r-- | mac/fira_frame.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/mac/fira_frame.c b/mac/fira_frame.c index 09367d5..7feabc1 100644 --- a/mac/fira_frame.c +++ b/mac/fira_frame.c @@ -834,7 +834,8 @@ bool fira_frame_rframe_payload_check(struct fira_local *local, skb_pull(skb, ie_get->len); if (ie_get->id == IEEE802154_IE_PAYLOAD_VENDOR_GID && - ie_get->len >= FIRA_IE_VENDOR_OUI_LEN) { + ie_get->len >= FIRA_IE_VENDOR_OUI_LEN && + ie_get->len <= FIRA_IE_VENDOR_OUI_LEN + FIRA_DATA_PAYLOAD_SIZE_MAX) { u32 vendor; unsigned int data_len; |