mirror of
https://github.com/Divested-Mobile/DivestOS-Build.git
synced 2024-12-24 06:59:27 -05:00
54 lines
1.9 KiB
Diff
54 lines
1.9 KiB
Diff
From 2935fde98001eca0f8dafad827933ce60d44ffba Mon Sep 17 00:00:00 2001
|
|
From: Insun Song <insun.song@broadcom.com>
|
|
Date: Wed, 24 May 2017 09:21:02 -0700
|
|
Subject: net: wireless: bcmdhd: adding boundary check in
|
|
wl_notify_rx_mgmt_frame
|
|
|
|
added boundary check for input parameters not to corrupt kernel heap in
|
|
case user injected malformed input
|
|
|
|
Signed-off-by: Insun Song <insun.song@broadcom.com>
|
|
Bug: 37306719
|
|
Change-Id: I6dc12e9bcfce8f3b43ecf14bfd6976bf87afeaa5
|
|
---
|
|
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 14 ++++++++++++--
|
|
1 file changed, 12 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
|
index 842091f..021f69f7 100644
|
|
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
|
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
|
|
@@ -9657,9 +9657,15 @@ wl_notify_rx_mgmt_frame(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
|
|
u32 event = ntoh32(e->event_type);
|
|
u8 *mgmt_frame;
|
|
u8 bsscfgidx = e->bsscfgidx;
|
|
- u32 mgmt_frame_len = ntoh32(e->datalen) - sizeof(wl_event_rx_frame_data_t);
|
|
+ u32 mgmt_frame_len = ntoh32(e->datalen);
|
|
u16 channel = ((ntoh16(rxframe->channel) & WL_CHANSPEC_CHAN_MASK));
|
|
|
|
+ if (mgmt_frame_len < sizeof(wl_event_rx_frame_data_t)) {
|
|
+ WL_ERR(("wrong datalen:%d\n", mgmt_frame_len));
|
|
+ return -EINVAL;
|
|
+ }
|
|
+ mgmt_frame_len -= sizeof(wl_event_rx_frame_data_t);
|
|
+
|
|
memset(&bssid, 0, ETHER_ADDR_LEN);
|
|
|
|
ndev = cfgdev_to_wlc_ndev(cfgdev, cfg);
|
|
@@ -9781,7 +9787,11 @@ wl_notify_rx_mgmt_frame(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
|
|
WL_DBG((" Event WLC_E_PROBREQ_MSG received\n"));
|
|
mgmt_frame = (u8 *)(data);
|
|
mgmt_frame_len = ntoh32(e->datalen);
|
|
-
|
|
+ if (mgmt_frame_len < DOT11_MGMT_HDR_LEN) {
|
|
+ WL_ERR(("WLC_E_PROBREQ_MSG - wrong datalen:%d\n",
|
|
+ mgmt_frame_len));
|
|
+ return -EINVAL;
|
|
+ }
|
|
prbreq_ie_len = mgmt_frame_len - DOT11_MGMT_HDR_LEN;
|
|
|
|
/* Parse prob_req IEs */
|
|
--
|
|
cgit v1.1
|
|
|