wlan: Fix possible integer underflow in cfg80211_rx_mgmt
In the function cfg80211_rx_mgmt, data_len is calculated as
len - ieee80211_hdrlen(mgmt->frame_control). Len is not
validated before this calculation. So a possible integer
underflow will occur if len value is less than the value of
ieee80211_hdrlen(mgmt->frame_control).
Validate the value of len against
ieee80211_hdrlen(mgmt->frame_control) in the caller.
Issue: SEC-1940
Change-Id: I321533d31ef040e869e0559a8449d0fd89b75305
CRs-Fixed: 2460252
Signed-off-by: Gururaj Patil <gururaj.patil3@harman.com>
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_main.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_main.c
index 96af5eb..9964743 100755
--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_main.c
+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_main.c
@@ -11695,6 +11695,8 @@
hdd_context_t *hdd_ctx = NULL;
hdd_adapter_t *adapter = NULL;
v_CONTEXT_t vos_context = NULL;
+ struct ieee80211_mgmt *mgmt =
+ (struct ieee80211_mgmt *)frame_ind->frameBuf;
/* Get the global VOSS context.*/
vos_context = vos_get_global_context(VOS_MODULE_ID_SYS, NULL);
@@ -11710,6 +11712,10 @@
{
return;
}
+ if (frame_ind->frameLen < ieee80211_hdrlen(mgmt->frame_control)) {
+ hddLog(LOGE, FL(" Invalid frame length"));
+ return;
+ }
adapter = hdd_get_adapter_by_sme_session_id(hdd_ctx,
frame_ind->sessionId);