2017-11-07 17:32:46 -05:00

54 lines
1.9 KiB
Diff

From 2935fde98001eca0f8dafad827933ce60d44ffba Mon Sep 17 00:00:00 2001
From: Insun Song <insun.song@broadcom.com>
Date: Wed, 24 May 2017 09:21:02 -0700
Subject: net: wireless: bcmdhd: adding boundary check in
wl_notify_rx_mgmt_frame
added boundary check for input parameters not to corrupt kernel heap in
case user injected malformed input
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 37306719
Change-Id: I6dc12e9bcfce8f3b43ecf14bfd6976bf87afeaa5
---
drivers/net/wireless/bcmdhd/wl_cfg80211.c | 14 ++++++++++++--
1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 842091f..021f69f7 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -9657,9 +9657,15 @@ wl_notify_rx_mgmt_frame(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
u32 event = ntoh32(e->event_type);
u8 *mgmt_frame;
u8 bsscfgidx = e->bsscfgidx;
- u32 mgmt_frame_len = ntoh32(e->datalen) - sizeof(wl_event_rx_frame_data_t);
+ u32 mgmt_frame_len = ntoh32(e->datalen);
u16 channel = ((ntoh16(rxframe->channel) & WL_CHANSPEC_CHAN_MASK));
+ if (mgmt_frame_len < sizeof(wl_event_rx_frame_data_t)) {
+ WL_ERR(("wrong datalen:%d\n", mgmt_frame_len));
+ return -EINVAL;
+ }
+ mgmt_frame_len -= sizeof(wl_event_rx_frame_data_t);
+
memset(&bssid, 0, ETHER_ADDR_LEN);
ndev = cfgdev_to_wlc_ndev(cfgdev, cfg);
@@ -9781,7 +9787,11 @@ wl_notify_rx_mgmt_frame(struct bcm_cfg80211 *cfg, bcm_struct_cfgdev *cfgdev,
WL_DBG((" Event WLC_E_PROBREQ_MSG received\n"));
mgmt_frame = (u8 *)(data);
mgmt_frame_len = ntoh32(e->datalen);
-
+ if (mgmt_frame_len < DOT11_MGMT_HDR_LEN) {
+ WL_ERR(("WLC_E_PROBREQ_MSG - wrong datalen:%d\n",
+ mgmt_frame_len));
+ return -EINVAL;
+ }
prbreq_ie_len = mgmt_frame_len - DOT11_MGMT_HDR_LEN;
/* Parse prob_req IEs */
--
cgit v1.1