Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit cbd8199a authored Jun 20, 2017 by Hamad Kadmany Committed by Gerrit - the friendly Code Review server Jul 06, 2017

wil6210: protect against invalid length of tx management frame



Validate buffer length has the minimum needed size
when sending management frame to protect against
possible buffer overrun.

Change-Id: Ib5aed79694100597d7f71a9e8d4e8dba91be538a
Signed-off-by: Hamad Kadmany <hkadmany@codeaurora.org>

parent 1e3155be

drivers/net/wireless/ath/wil6210/cfg80211.c

+3 −0

Original line number	Diff line number	Diff line
		@@ -784,6 +784,9 @@ int wil_cfg80211_mgmt_tx(struct wiphy wiphy, struct wireless_dev wdev,
		wil_dbg_misc(wil, "%s()\n", __func__);
		print_hex_dump_bytes("mgmt tx frame ", DUMP_PREFIX_OFFSET, buf, len);

		if (len < sizeof(struct ieee80211_mgmt))
		return -EINVAL;

		cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);
		if (!cmd) {
		rc = -ENOMEM;

drivers/net/wireless/ath/wil6210/debugfs.c

+5 −1

Original line number	Diff line number	Diff line
		@@ -807,8 +807,12 @@ static ssize_t wil_write_file_txmgmt(struct file file, const char __user buf,
		struct wireless_dev *wdev = wil_to_wdev(wil);
		struct cfg80211_mgmt_tx_params params;
		int rc;
		void *frame = kmalloc(len, GFP_KERNEL);
		void *frame;

		if (!len)
		return -EINVAL;

		frame = kmalloc(len, GFP_KERNEL);
		if (!frame)
		return -ENOMEM;