qcacld-3.0: Add sanity check to limit mgmt frames data len

Currently the mpdu_data_len in Rx pkt meta is not checked for upper bound in wma_form_rx_packet. Add sanity check to drop the packet if mpdu_data_len is greater than 2000 bytes. Also add upper bound check for frame_len in lim_process_auth_frame function. Change-Id: I7ab454045e2f6d278351dcabde6da556f9f741e0 CRs-Fixed: 2093392
author: Vignesh Viswanathan <viswanat@codeaurora.org> 2017-08-31 15:26:01 +0530
committer: snandini <snandini@codeaurora.org> 2017-09-15 14:40:54 -0700
commit: 5867291c3b58e3e6a3f4ec6e722ade61e7e2dfe8 (patch)
tree: 06d0cd5ac99e97438b9c8e5fb293c4a210ed8f6e /core/wma/src/wma_mgmt.c
parent: 43f445b8e0fca838e833ea95ac78d8dcc363bb45 (diff)
download: qcacld-5867291c3b58e3e6a3f4ec6e722ade61e7e2dfe8.tar.gz
1 files changed, 10 insertions, 0 deletions
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c
index a42417eda9..79de8aab6f 100644
--- a/core/wma/src/wma_mgmt.c
+++ b/core/wma/src/wma_mgmt.c
@@ -3490,6 +3490,16 @@ static int wma_mgmt_rx_process(void *handle, uint8_t *data,
 
 	rx_pkt->pkt_meta.roamCandidateInd = 0;
 
+	/*
+	 * If the mpdu_data_len is greater than Max (2k), drop the frame
+	 */
+	if (rx_pkt->pkt_meta.mpdu_data_len > WMA_MAX_MGMT_MPDU_LEN) {
+		WMA_LOGE("Data Len %d greater than max, dropping frame",
+			 rx_pkt->pkt_meta.mpdu_data_len);
+		qdf_mem_free(rx_pkt);
+		return -EINVAL;
+	}
+
 	/* Why not just use rx_event->hdr.buf_len? */
 	wbuf = qdf_nbuf_alloc(NULL, roundup(hdr->buf_len, 4), 0, 4, false);
 	if (!wbuf) {
author	Vignesh Viswanathan <viswanat@codeaurora.org>	2017-08-31 15:26:01 +0530
committer	snandini <snandini@codeaurora.org>	2017-09-15 14:40:54 -0700
commit	5867291c3b58e3e6a3f4ec6e722ade61e7e2dfe8 (patch)
tree	06d0cd5ac99e97438b9c8e5fb293c4a210ed8f6e /core/wma/src/wma_mgmt.c
parent	43f445b8e0fca838e833ea95ac78d8dcc363bb45 (diff)
download	qcacld-5867291c3b58e3e6a3f4ec6e722ade61e7e2dfe8.tar.gz