diff options
author | Insun Song <insun.song@broadcom.com> | 2017-05-03 16:20:41 -0700 |
---|---|---|
committer | SecurityBot <android-nexus-securitybot@system.gserviceaccount.com> | 2017-05-05 14:29:24 -0700 |
commit | f537712640a6ca3c3a0637eb698dc022461af443 (patch) | |
tree | b35ca150acee5023d5e1e738729bc25ab8a4ee64 | |
parent | fa77dae7e535086873ff4ec1906d2854d9f63acf (diff) | |
download | x86_64-f537712640a6ca3c3a0637eb698dc022461af443.tar.gz |
net: wireless: bcmdhd: adding boundary check in wl_cfg80211_mgmt_tx
added boundary check for user-input parameter not to corrupt kernel
memmory.
Signed-off-by: Insun Song <insun.song@broadcom.com>
Bug: 35195787
Change-Id: Ia497feae5f502c9a650e50a39fd0620fa976d908
-rw-r--r-- | drivers/net/wireless/bcmdhd/wl_cfg80211.c | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c index ecbe643b6dad..c0a97283980e 100644 --- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c +++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c @@ -5788,6 +5788,10 @@ wl_cfg80211_mgmt_tx(struct wiphy *wiphy, bcm_struct_cfgdev *cfgdev, WL_DBG(("Enter \n")); + if (len > (ACTION_FRAME_SIZE + DOT11_MGMT_HDR_LEN)) { + WL_ERR(("bad length:%zu\n", len)); + return BCME_BADARG; + } dev = cfgdev_to_wlc_ndev(cfgdev, cfg); /* set bsscfg idx for iovar (wlan0: P2PAPI_BSSCFG_PRIMARY, p2p: P2PAPI_BSSCFG_DEVICE) */ |