net: wireless: bcmdhd: adding boundary check in wl_cfg80211_mgmt_tx added boundary check for user-input parameter not to corrupt kernel memmory. Signed-off-by: Insun Song <insun.song@broadcom.com> Bug: 35195787 Change-Id: Ia497feae5f502c9a650e50a39fd0620fa976d908

commit: 6a469209ac014b6d93f373e042500f6e8cd6a04a [log] [tgz]
author: Insun Song <insun.song@broadcom.com> Wed May 03 16:20:41 2017 -0700
committer: Stuart Scott <stuartscott@google.com> Tue May 16 20:12:20 2017 +0000
tree: 4d3e208308055cf10fab20c863fa3adfdaadb6fc
parent: 6cda862834f58f5cba217f445c00bb83aaa8a32a [diff]
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 9081988..a73b030 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c

@@ -5830,6 +5830,10 @@
 
 	WL_DBG(("Enter \n"));
 
+	if (len > (ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN)) {
+		WL_ERR(("bad length:%zu\n", len));
+		return BCME_BADARG;
+	}
 	dev = cfgdev_to_wlc_ndev(cfgdev, cfg);
 
 	/* set bsscfg idx for iovar (wlan0: P2PAPI_BSSCFG_PRIMARY, p2p: P2PAPI_BSSCFG_DEVICE)	*/
commit	6a469209ac014b6d93f373e042500f6e8cd6a04a	[log] [tgz]
author	Insun Song <insun.song@broadcom.com>	Wed May 03 16:20:41 2017 -0700
committer	Stuart Scott <stuartscott@google.com>	Tue May 16 20:12:20 2017 +0000
tree	4d3e208308055cf10fab20c863fa3adfdaadb6fc
parent	6cda862834f58f5cba217f445c00bb83aaa8a32a [diff]