Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6641525c authored Aug 08, 2017 by Hamad Kadmany Committed by Kalle Valo Aug 08, 2017

wil6210: protect against invalid length of tx management frame



Validate buffer length has the minimum needed size
when sending management frame to protect against
possible buffer overrun.

Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

parent 3588e111

drivers/net/wireless/ath/wil6210/cfg80211.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -884,6 +884,9 @@ int wil_cfg80211_mgmt_tx(struct wiphy wiphy, struct wireless_dev wdev,
		wil_hex_dump_misc("mgmt tx frame ", DUMP_PREFIX_OFFSET, 16, 1, buf,
		len, true);

		if (len < sizeof(struct ieee80211_hdr_3addr))
		return -EINVAL;

		cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);
		if (!cmd) {
		rc = -ENOMEM;

drivers/net/wireless/ath/wil6210/debugfs.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -801,6 +801,9 @@ static ssize_t wil_write_file_txmgmt(struct file file, const char __user buf,
		int rc;
		void *frame;

		if (!len)
		return -EINVAL;

		frame = memdup_user(buf, len);
		if (IS_ERR(frame))
		return PTR_ERR(frame);