Merge "qcacld-3.0: Fix possible OOB access in lim_process_disassoc_frame" into android-msm-bluecross-4.9

1 files changed, 8 insertions, 5 deletions

diff --git a/core/mac/src/pe/lim/lim_process_disassoc_frame.c b/core/mac/src/pe/lim/lim_process_disassoc_frame.c
index c8ae79fc86..e36ecc939f 100644
--- a/core/mac/src/pe/lim/lim_process_disassoc_frame.c
+++ b/core/mac/src/pe/lim/lim_process_disassoc_frame.c
@@ -77,13 +77,12 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo,
 	uint16_t aid, reasonCode;
 	tpSirMacMgmtHdr pHdr;
 	tpDphHashNode pStaDs;
-#ifdef WLAN_FEATURE_11W
-	uint32_t frameLen;
-#endif
+	uint32_t frame_len;
 	int32_t frame_rssi;
 
 	pHdr = WMA_GET_RX_MAC_HEADER(pRxPacketInfo);
 	pBody = WMA_GET_RX_MPDU_DATA(pRxPacketInfo);
+	frame_len = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
 
 	frame_rssi = (int32_t)WMA_GET_RX_RSSI_NORMALIZED(pRxPacketInfo);
 
@@ -137,11 +136,10 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo,
 
 		/* If the frame received is unprotected, forward it to the supplicant to initiate */
 		/* an SA query */
-		frameLen = WMA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
 		/* send the unprotected frame indication to SME */
 		lim_send_sme_unprotected_mgmt_frame_ind(pMac, pHdr->fc.subType,
 							(uint8_t *) pHdr,
-							(frameLen +
+							(frame_len +
 							 sizeof(tSirMacMgmtHdr)),
 							psessionEntry->smeSessionId,
 							psessionEntry);
@@ -149,6 +147,11 @@ lim_process_disassoc_frame(tpAniSirGlobal pMac, uint8_t *pRxPacketInfo,
 	}
 #endif
 
+	if (frame_len < 2) {
+		pe_err("frame len less than 2");
+		return;
+	}
+
 	/* Get reasonCode from Disassociation frame body */
 	reasonCode = sir_read_u16(pBody);