From 2935fde98001eca0f8dafad827933ce60d44ffba Mon Sep 17 00:00:00 2001 From: Insun Song Date: Wed, 24 May 2017 09:21:02 -0700 Subject: net: wireless: bcmdhd: adding boundary check in wl_notify_rx_mgmt_frame added boundary check for input parameters not to corrupt kernel heap in case user injected malformed input Signed-off-by: Insun Song Bug: 37306719 Change-Id: I6dc12e9bcfce8f3b43ecf14bfd6976bf87afeaa5 --- drivers/net/wireless/bcmdhd/wl_cfg80211.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c index 842091f..021f69f7 100644 --- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c +++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c @@ -9657,9 +9657,15 @@ wl_notify_rx_mgmt_frame(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev, u32 event = ntoh32(e->event_type); u8 *mgmt_frame; u8 bsscfgidx = e->bsscfgidx; - u32 mgmt_frame_len = ntoh32(e->datalen) - sizeof(wl_event_rx_frame_data_t); + u32 mgmt_frame_len = ntoh32(e->datalen); u16 channel = ((ntoh16(rxframe->channel) & WL_CHANSPEC_CHAN_MASK)); + if (mgmt_frame_len < sizeof(wl_event_rx_frame_data_t)) { + WL_ERR(("wrong datalen:%d\n", mgmt_frame_len)); + return -EINVAL; + } + mgmt_frame_len -= sizeof(wl_event_rx_frame_data_t); + memset(&bssid, 0, ETHER_ADDR_LEN); ndev = cfgdev_to_wlc_ndev(cfgdev, cfg); @@ -9781,7 +9787,11 @@ wl_notify_rx_mgmt_frame(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev, WL_DBG((" Event WLC_E_PROBREQ_MSG received\n")); mgmt_frame = (u8 *)(data); mgmt_frame_len = ntoh32(e->datalen); - + if (mgmt_frame_len < DOT11_MGMT_HDR_LEN) { + WL_ERR(("WLC_E_PROBREQ_MSG - wrong datalen:%d\n", + mgmt_frame_len)); + return -EINVAL; + } prbreq_ie_len = mgmt_frame_len - DOT11_MGMT_HDR_LEN; /* Parse prob_req IEs */ -- cgit v1.1