evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wil6210: protect against invalid length of tx management frame

Browse source 
This check is not valid:
if (len < sizeof(struct ieee80211_mgmt))
Because ieee80211_mgmt contains the ieee80211 header followed by
a union of various action frames, so the check will fail when trying
to send any management frame which is smaller than the largest action
frame in the union. This breaks FST and possibly other features.
Fix this by checking only against the header structure size.

Change-Id: I730300e180d9509f3555f16a0803af53cc8eca0a
Signed-off-by: Lior David <liord@codeaurora.org>
This commit is contained in:
Lior David 2017-07-30 20:32:38 +03:00
parent 1e931d0f3f
commit 1b3f613621
1 changed files with 1 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
drivers/net/wireless/ath/wil6210/cfg80211.c
View file

@ -960,7 +960,7 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
wil_hex_dump_misc("mgmt tx frame ", DUMP_PREFIX_OFFSET, 16, 1, buf,
len, true);
if (len < sizeof(struct ieee80211_mgmt))
if (len < sizeof(struct ieee80211_hdr_3addr))
return -EINVAL;
cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);