qcacld-3.0: Add sanity check in wma_process_rmf_frame

Currently the mpdu_data_len in Rx pkt meta is not checked for
upper bound in wma_process_rmf_frame.
Add sanity check to drop the packet if mpdu_data_len is
greater than 2000 bytes.

Change-Id: I156cf9766dda30ee3746361614a2e4586553f93d
CRs-Fixed: 2123807

1 files changed, 20 insertions, 4 deletions

diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c
index df5d7d889b..4252e4dc4b 100644
--- a/core/wma/src/wma_mgmt.c
+++ b/core/wma/src/wma_mgmt.c
@@ -3296,14 +3296,30 @@ int wma_process_rmf_frame(tp_wma_handle wma_handle,
 		rx_pkt->pkt_meta.mpdu_hdr_ptr =
 				qdf_nbuf_data(wbuf);
 		rx_pkt->pkt_meta.mpdu_len = qdf_nbuf_len(wbuf);
-		rx_pkt->pkt_meta.mpdu_data_len =
-		rx_pkt->pkt_meta.mpdu_len -
-		rx_pkt->pkt_meta.mpdu_hdr_len;
+		rx_pkt->pkt_buf = wbuf;
+		if (rx_pkt->pkt_meta.mpdu_len >=
+			rx_pkt->pkt_meta.mpdu_hdr_len) {
+			rx_pkt->pkt_meta.mpdu_data_len =
+				rx_pkt->pkt_meta.mpdu_len -
+				rx_pkt->pkt_meta.mpdu_hdr_len;
+		} else {
+			WMA_LOGE("mpdu len %d less than hdr %d, dropping frame",
+				rx_pkt->pkt_meta.mpdu_len,
+				rx_pkt->pkt_meta.mpdu_hdr_len);
+			cds_pkt_return_packet(rx_pkt);
+			return -EINVAL;
+		}
+
+		if (rx_pkt->pkt_meta.mpdu_data_len > WMA_MAX_MGMT_MPDU_LEN) {
+			WMA_LOGE("Data Len %d greater than max, dropping frame",
+				rx_pkt->pkt_meta.mpdu_data_len);
+			cds_pkt_return_packet(rx_pkt);
+			return -EINVAL;
+		}
 		rx_pkt->pkt_meta.mpdu_data_ptr =
 		rx_pkt->pkt_meta.mpdu_hdr_ptr +
 		rx_pkt->pkt_meta.mpdu_hdr_len;
 		rx_pkt->pkt_meta.tsf_delta = rx_pkt->pkt_meta.tsf_delta;
-		rx_pkt->pkt_buf = wbuf;
 		WMA_LOGD(FL("BSSID: "MAC_ADDRESS_STR" tsf_delta: %u"),
 		    MAC_ADDR_ARRAY(wh->i_addr3), rx_pkt->pkt_meta.tsf_delta);
 	} else {