commit 5ab5cde228af66b3e832bfffd5f2c3949b7fe879
author Vignesh Viswanathan <viswanat@codeaurora.org> Tue Nov 21 16:21:34 2017 +0530
committer Vignesh Viswanathan <viswanat@codeaurora.org> Wed Nov 22 21:56:52 2017 +0530
tree ca10346e4e3c9abbb5922756d804a8e5783ce511
parent 884679f594ddcfd1a3623e14e575a78dfa155e4a

wlan: Add sanity check to limit mgmt frames data len

Currently the frameLen in Rx pkt meta is not checked for
upper bound in peHandleMgmtFrame.

Add sanity check to drop the packet if frameLen is
greater than 2000 bytes. Also add upper bound check for
frameLen in limProcessAuthFrame function.

Change-Id: Id8d80f892c18d044896224c22b21f667ee30eb6b
CRs-Fixed: 2146331

CORE/MAC/src/pe/lim/limApi.c

diff --git a/CORE/MAC/src/pe/lim/limApi.c b/CORE/MAC/src/pe/lim/limApi.c
index 64b0bd6..d8137ff 100644
--- a/CORE/MAC/src/pe/lim/limApi.c
+++ b/CORE/MAC/src/pe/lim/limApi.c
@@ -1396,6 +1396,7 @@
     vos_pkt_t      *pVosPkt;
     VOS_STATUS      vosStatus;
     v_U8_t         *pRxPacketInfo;
+    tANI_U16        frameLen;
 
     pVosPkt = (vos_pkt_t *)vosBuff;
     if (NULL == pVosPkt)
@@ -1419,6 +1420,12 @@
         return VOS_STATUS_E_FAILURE;
     }
 
+    frameLen = WDA_GET_RX_PAYLOAD_LEN(pRxPacketInfo);
+    if (frameLen > WDA_MAX_MGMT_MPDU_LEN) {
+        PELOG1(limLog(pMac, LOG1, FL("Dropping frame of len %d"), frameLen));
+        vos_pkt_return_packet(pVosPkt);
+        return VOS_STATUS_E_FAILURE;
+    }
 
     //
     //  The MPDU header is now present at a certain "offset" in