qcacld-3.0: Add length check in wma_process_rmf_frame
The driver verifies the replay_attack in protected
management frames in the API wma_is_ccmp_pn_replay_attack
The API expects a CCMP header pointer, but it may happen that
the size of the total frame is less than the size of ieee frame
+ the CCMP header length. In that case the CCMP pointer will
point to some memory location not allocated to the frame, which
will result to out of bound access.
Fix is to add a length check to memory allocated to wbuf in
wma_process_rmf_frame
Change-Id: I351fa671cb8728843c8843c27dd91bcb201abb42
CRs-Fixed: 2230976
1 file changed