diff options
| author | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | 2018-07-17 11:43:18 +0530 |
|---|---|---|
| committer | Ahmed ElArabawy <arabawy@google.com> | 2019-03-16 02:14:07 +0000 |
| commit | c877f8c581d4792f870251326244134b4b064c2e (patch) | |
| tree | 29158ee820f1c1049251b09ec68217882efbfaa5 | |
| parent | 16732841812a63f2000b8fa67d845d73a439e7d9 (diff) | |
| download | qcacld-c877f8c581d4792f870251326244134b4b064c2e.tar.gz | |
qcacld-3.0: Fix possible integer underflow in cfg80211_rx_mgmt
In the function cfg80211_rx_mgmt, data_len is calculated as
len - ieee80211_hdrlen(mgmt->frame_control). Len is not
validated before this calculation. So a possible integer
underflow will occur if len value is less than the value of
ieee80211_hdrlen(mgmt->frame_control).
Validate the value of len against
ieee80211_hdrlen(mgmt->frame_control) in the caller.
Change-Id: Iae776daf37b0c052bd4ce4da44ea728d121eae51
CRs-Fixed: 2263758
Bug: 128343981
Signed-off-by: Srinivas Girigowda <quic_sgirigow@quicinc.com>
| -rw-r--r-- | core/hdd/src/wlan_hdd_main.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c index 9a22a94015..8b9e16eb11 100644 --- a/core/hdd/src/wlan_hdd_main.c +++ b/core/hdd/src/wlan_hdd_main.c @@ -8301,6 +8301,8 @@ void hdd_indicate_mgmt_frame(tSirSmeMgmtFrameInd *frame_ind) hdd_adapter_t *adapter = NULL; void *cds_context = NULL; int i; + struct ieee80211_mgmt *mgmt = + (struct ieee80211_mgmt *)frame_ind->frameBuf; /* Get the global VOSS context.*/ cds_context = cds_get_global_context(); @@ -8314,6 +8316,11 @@ void hdd_indicate_mgmt_frame(tSirSmeMgmtFrameInd *frame_ind) if (0 != wlan_hdd_validate_context(hdd_ctx)) return; + if (frame_ind->frame_len < ieee80211_hdrlen(mgmt->frame_control)) { + hdd_err(" Invalid frame length"); + return; + } + if (SME_SESSION_ID_ANY == frame_ind->sessionId) { for (i = 0; i < CSR_ROAM_SESSION_MAX; i++) { adapter = |