From 1b3f613621764b2b66259852a448924c2e1d6773 Mon Sep 17 00:00:00 2001 From: Lior David Date: Sun, 30 Jul 2017 20:32:38 +0300 Subject: [PATCH] wil6210: protect against invalid length of tx management frame This check is not valid: if (len < sizeof(struct ieee80211_mgmt)) Because ieee80211_mgmt contains the ieee80211 header followed by a union of various action frames, so the check will fail when trying to send any management frame which is smaller than the largest action frame in the union. This breaks FST and possibly other features. Fix this by checking only against the header structure size. Change-Id: I730300e180d9509f3555f16a0803af53cc8eca0a Signed-off-by: Lior David --- drivers/net/wireless/ath/wil6210/cfg80211.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c index 63bb7686b811..94861020af12 100644 --- a/drivers/net/wireless/ath/wil6210/cfg80211.c +++ b/drivers/net/wireless/ath/wil6210/cfg80211.c @@ -960,7 +960,7 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, wil_hex_dump_misc("mgmt tx frame ", DUMP_PREFIX_OFFSET, 16, 1, buf, len, true); - if (len < sizeof(struct ieee80211_mgmt)) + if (len < sizeof(struct ieee80211_hdr_3addr)) return -EINVAL; cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);