diff options
author | Arif Hussain <arifhussain@codeaurora.org> | 2017-10-12 12:40:16 -0700 |
---|---|---|
committer | snandini <snandini@codeaurora.org> | 2017-10-16 01:52:24 -0700 |
commit | c3c1eff6109f31912988be094d23ed58b09b9d08 (patch) | |
tree | 09c9d37ac49f1999f7e9f68d182f233db79151fa /core/wma/src/wma_mgmt.c | |
parent | b3abc4ad5080b1c1f8d3c8b86fdfe416c09c27d7 (diff) | |
download | qcacld-c3c1eff6109f31912988be094d23ed58b09b9d08.tar.gz |
qcacld-3.0: Add sanity check in wma_process_rmf_frame
Currently the mpdu_data_len in Rx pkt meta is not checked for
upper bound in wma_process_rmf_frame.
Add sanity check to drop the packet if mpdu_data_len is
greater than 2000 bytes.
Change-Id: I156cf9766dda30ee3746361614a2e4586553f93d
CRs-Fixed: 2123807
Diffstat (limited to 'core/wma/src/wma_mgmt.c')
-rw-r--r-- | core/wma/src/wma_mgmt.c | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c index df5d7d889b..4252e4dc4b 100644 --- a/core/wma/src/wma_mgmt.c +++ b/core/wma/src/wma_mgmt.c @@ -3296,14 +3296,30 @@ int wma_process_rmf_frame(tp_wma_handle wma_handle, rx_pkt->pkt_meta.mpdu_hdr_ptr = qdf_nbuf_data(wbuf); rx_pkt->pkt_meta.mpdu_len = qdf_nbuf_len(wbuf); - rx_pkt->pkt_meta.mpdu_data_len = - rx_pkt->pkt_meta.mpdu_len - - rx_pkt->pkt_meta.mpdu_hdr_len; + rx_pkt->pkt_buf = wbuf; + if (rx_pkt->pkt_meta.mpdu_len >= + rx_pkt->pkt_meta.mpdu_hdr_len) { + rx_pkt->pkt_meta.mpdu_data_len = + rx_pkt->pkt_meta.mpdu_len - + rx_pkt->pkt_meta.mpdu_hdr_len; + } else { + WMA_LOGE("mpdu len %d less than hdr %d, dropping frame", + rx_pkt->pkt_meta.mpdu_len, + rx_pkt->pkt_meta.mpdu_hdr_len); + cds_pkt_return_packet(rx_pkt); + return -EINVAL; + } + + if (rx_pkt->pkt_meta.mpdu_data_len > WMA_MAX_MGMT_MPDU_LEN) { + WMA_LOGE("Data Len %d greater than max, dropping frame", + rx_pkt->pkt_meta.mpdu_data_len); + cds_pkt_return_packet(rx_pkt); + return -EINVAL; + } rx_pkt->pkt_meta.mpdu_data_ptr = rx_pkt->pkt_meta.mpdu_hdr_ptr + rx_pkt->pkt_meta.mpdu_hdr_len; rx_pkt->pkt_meta.tsf_delta = rx_pkt->pkt_meta.tsf_delta; - rx_pkt->pkt_buf = wbuf; WMA_LOGD(FL("BSSID: "MAC_ADDRESS_STR" tsf_delta: %u"), MAC_ADDR_ARRAY(wh->i_addr3), rx_pkt->pkt_meta.tsf_delta); } else { |