diff options
author | Pragaspathi Thilagaraj <tpragasp@codeaurora.org> | 2018-07-17 11:43:18 +0530 |
---|---|---|
committer | Kelly Rossmoyer <krossmo@google.com> | 2019-05-09 01:43:52 +0000 |
commit | 6be781e8ab5fac0194cc6e0d91a67f35713438f7 (patch) | |
tree | d3eb2c7740c5b4df279c0eb5cfefd1aab7cc1c19 | |
parent | b16724a840cafdbc976a4ca2bcfab3d4f01fd9f3 (diff) | |
download | qcacld-6be781e8ab5fac0194cc6e0d91a67f35713438f7.tar.gz |
qcacld-3.0: Fix possible integer underflow in cfg80211_rx_mgmt
In the function cfg80211_rx_mgmt, data_len is calculated as
len - ieee80211_hdrlen(mgmt->frame_control). Len is not
validated before this calculation. So a possible integer
underflow will occur if len value is less than the value of
ieee80211_hdrlen(mgmt->frame_control).
Validate the value of len against
ieee80211_hdrlen(mgmt->frame_control) in the caller.
Bug: 129850941
Change-Id: Iae776daf37b0c052bd4ce4da44ea728d121eae51
CRs-Fixed: 2263758
Signed-off-by: hsuvictor <hsuvictor@google.com>
-rw-r--r-- | core/hdd/src/wlan_hdd_main.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/core/hdd/src/wlan_hdd_main.c b/core/hdd/src/wlan_hdd_main.c index 9ccc966daa..8f5a9454fa 100644 --- a/core/hdd/src/wlan_hdd_main.c +++ b/core/hdd/src/wlan_hdd_main.c @@ -8306,6 +8306,8 @@ void hdd_indicate_mgmt_frame(tSirSmeMgmtFrameInd *frame_ind) hdd_adapter_t *adapter = NULL; void *cds_context = NULL; int i; + struct ieee80211_mgmt *mgmt = + (struct ieee80211_mgmt *)frame_ind->frameBuf; /* Get the global VOSS context.*/ cds_context = cds_get_global_context(); @@ -8319,6 +8321,11 @@ void hdd_indicate_mgmt_frame(tSirSmeMgmtFrameInd *frame_ind) if (0 != wlan_hdd_validate_context(hdd_ctx)) return; + if (frame_ind->frame_len < ieee80211_hdrlen(mgmt->frame_control)) { + hdd_err(" Invalid frame length"); + return; + } + if (SME_SESSION_ID_ANY == frame_ind->sessionId) { for (i = 0; i < CSR_ROAM_SESSION_MAX; i++) { adapter = |