diff options
Diffstat (limited to 'core/wma/src/wma_mgmt.c')
-rw-r--r-- | core/wma/src/wma_mgmt.c | 12 |
1 files changed, 10 insertions, 2 deletions
diff --git a/core/wma/src/wma_mgmt.c b/core/wma/src/wma_mgmt.c index d6d21d1ef3..784b553901 100644 --- a/core/wma/src/wma_mgmt.c +++ b/core/wma/src/wma_mgmt.c @@ -3266,20 +3266,28 @@ int wma_process_bip(tp_wma_handle wma_handle, qdf_nbuf_t wbuf ) { + uint16_t mmie_size; uint16_t key_id; uint8_t *efrm; efrm = qdf_nbuf_data(wbuf) + qdf_nbuf_len(wbuf); if (iface->key.key_cipher == WMI_CIPHER_AES_CMAC) { - key_id = (uint16_t)*(efrm - cds_get_mmie_size() + 2); + mmie_size = cds_get_mmie_size(); } else if (iface->key.key_cipher == WMI_CIPHER_AES_GMAC) { - key_id = (uint16_t)*(efrm - cds_get_gmac_mmie_size() + 2); + mmie_size = cds_get_gmac_mmie_size(); } else { WMA_LOGE(FL("Invalid key cipher %d"), iface->key.key_cipher); return -EINVAL; } + /* Check if frame is invalid length */ + if (efrm - (uint8_t *)wh < sizeof(*wh) + mmie_size) { + WMA_LOGE(FL("Invalid frame length")); + return -EINVAL; + } + + key_id = (uint16_t)*(efrm - mmie_size + 2); if (!((key_id == WMA_IGTK_KEY_INDEX_4) || (key_id == WMA_IGTK_KEY_INDEX_5))) { WMA_LOGE(FL("Invalid KeyID(%d) dropping the frame"), key_id); |