diff options
author | Vignesh Viswanathan <viswanat@codeaurora.org> | 2017-08-31 15:26:01 +0530 |
---|---|---|
committer | snandini <snandini@codeaurora.org> | 2017-09-15 14:40:54 -0700 |
commit | 5867291c3b58e3e6a3f4ec6e722ade61e7e2dfe8 (patch) | |
tree | 06d0cd5ac99e97438b9c8e5fb293c4a210ed8f6e /core/wma/src/wma_mgmt.c | |
parent | 43f445b8e0fca838e833ea95ac78d8dcc363bb45 (diff) | |
download | qcacld-5867291c3b58e3e6a3f4ec6e722ade61e7e2dfe8.tar.gz |
qcacld-3.0: Add sanity check to limit mgmt frames data len
Currently the mpdu_data_len in Rx pkt meta is not checked for
upper bound in wma_form_rx_packet.
Add sanity check to drop the packet if mpdu_data_len is
greater than 2000 bytes. Also add upper bound check for
frame_len in lim_process_auth_frame function.
Change-Id: I7ab454045e2f6d278351dcabde6da556f9f741e0
CRs-Fixed: 2093392
Diffstat (limited to 'core/wma/src/wma_mgmt.c')
-rw-r--r-- | core/wma/src/wma_mgmt.c | 10 |
1 files changed, 10 insertions, 0 deletions
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c index a42417eda9..79de8aab6f 100644 --- a/core/wma/src/wma_mgmt.c +++ b/core/wma/src/wma_mgmt.c @@ -3490,6 +3490,16 @@ static int wma_mgmt_rx_process(void *handle, uint8_t *data, rx_pkt->pkt_meta.roamCandidateInd = 0; + /* + * If the mpdu_data_len is greater than Max (2k), drop the frame + */ + if (rx_pkt->pkt_meta.mpdu_data_len > WMA_MAX_MGMT_MPDU_LEN) { + WMA_LOGE("Data Len %d greater than max, dropping frame", + rx_pkt->pkt_meta.mpdu_data_len); + qdf_mem_free(rx_pkt); + return -EINVAL; + } + /* Why not just use rx_event->hdr.buf_len? */ wbuf = qdf_nbuf_alloc(NULL, roundup(hdr->buf_len, 4), 0, 4, false); if (!wbuf) { |