qcacmn: Validate the buffer length in rx mgmt handler

In the WMI_MGMT_RX_EVENTID event handling, add a length
check to validate if the buffer length sent by the firmware
is less than or equal to the actual buffer length.

Change-Id: I7db9af48bc525543b972dcaf40aee0a05d8f5023
CRs-Fixed: 3001331

parent e2ed382e

wmi/src/wmi_unified_tlv.c

+5 −0

Original line number	Diff line number	Diff line
		@@ -9026,6 +9026,11 @@ static QDF_STATUS extract_mgmt_rx_params_tlv(wmi_unified_t wmi_handle,
		return QDF_STATUS_E_INVAL;
		}

		if (ev_hdr->buf_len > param_tlvs->num_bufp) {
		WMI_LOGE("Rx mgmt frame length mismatch, discard it");
		return QDF_STATUS_E_INVAL;
		}

		hdr->pdev_id = wmi_handle->ops->convert_pdev_id_target_to_host(
		wmi_handle,
		ev_hdr->pdev_id);