wlan: Fix possible integer underflow in cfg80211_rx_mgmt
In the function cfg80211_rx_mgmt, data_len is calculated as
len - ieee80211_hdrlen(mgmt->frame_control). Len is not
validated before this calculation. So a possible integer
underflow will occur if len value is less than the value of
ieee80211_hdrlen(mgmt->frame_control).
Validate the value of len against
ieee80211_hdrlen(mgmt->frame_control) in the caller.
Change-Id: Iae776daf37b0c052bd4ce4da44ea728d121eae51
CRs-Fixed: 2460252
diff --git a/CORE/HDD/src/wlan_hdd_main.c b/CORE/HDD/src/wlan_hdd_main.c
index 567bce5..94eac5c 100644
--- a/CORE/HDD/src/wlan_hdd_main.c
+++ b/CORE/HDD/src/wlan_hdd_main.c
@@ -15878,6 +15878,8 @@
hdd_context_t *hdd_ctx = NULL;
hdd_adapter_t *adapter = NULL;
v_CONTEXT_t vos_context = NULL;
+ struct ieee80211_mgmt *mgmt =
+ (struct ieee80211_mgmt *)frame_ind->frameBuf;
/* Get the global VOSS context.*/
vos_context = vos_get_global_context(VOS_MODULE_ID_SYS, NULL);
@@ -15893,6 +15895,12 @@
{
return;
}
+
+ if (frame_ind->frameLen < ieee80211_hdrlen(mgmt->frame_control)) {
+ hddLog(LOGE, FL(" Invalid frame length"));
+ return;
+ }
+
adapter = hdd_get_adapter_by_sme_session_id(hdd_ctx,
frame_ind->sessionId);