net: wireless: bcmdhd: adding boundary check in wl_cfg80211_mgmt_tx

added boundary check for user-input parameter not to corrupt kernel memmory. Signed-off-by: Insun Song <insun.song@broadcom.com> Bug: 35195787 Change-Id: Ia497feae5f502c9a650e50a39fd0620fa976d908
author: Insun Song <insun.song@broadcom.com> 2017-05-03 16:20:41 -0700
committer: SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> 2017-05-05 14:29:24 -0700
commit: f537712640a6ca3c3a0637eb698dc022461af443 (patch)
tree: b35ca150acee5023d5e1e738729bc25ab8a4ee64
parent: fa77dae7e535086873ff4ec1906d2854d9f63acf (diff)
download: x86_64-f537712640a6ca3c3a0637eb698dc022461af443.tar.gz
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index ecbe643b6dad..c0a97283980e 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -5788,6 +5788,10 @@ wl_cfg80211_mgmt_tx(struct wiphy *wiphy, bcm_struct_cfgdev *cfgdev,
 
 	WL_DBG(("Enter \n"));
 
+	if (len > (ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN)) {
+		WL_ERR(("bad length:%zu\n", len));
+		return BCME_BADARG;
+	}
 	dev = cfgdev_to_wlc_ndev(cfgdev, cfg);
 
 	/* set bsscfg idx for iovar (wlan0: P2PAPI_BSSCFG_PRIMARY, p2p: P2PAPI_BSSCFG_DEVICE)	*/
author	Insun Song <insun.song@broadcom.com>	2017-05-03 16:20:41 -0700
committer	SecurityBot <android-nexus-securitybot@system.gserviceaccount.com>	2017-05-05 14:29:24 -0700
commit	f537712640a6ca3c3a0637eb698dc022461af443 (patch)
tree	b35ca150acee5023d5e1e738729bc25ab8a4ee64
parent	fa77dae7e535086873ff4ec1906d2854d9f63acf (diff)
download	x86_64-f537712640a6ca3c3a0637eb698dc022461af443.tar.gz