evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

wil6210: protect against invalid length of tx management frame

Browse source 
Validate buffer length has the minimum needed size
when sending management frame to protect against
possible buffer overrun.

Change-Id: Ib5aed79694100597d7f71a9e8d4e8dba91be538a
Signed-off-by: Hamad Kadmany <hkadmany@codeaurora.org>
This commit is contained in:
Hamad Kadmany 2017-06-20 13:55:07 +03:00
parent 0045ec6f11
commit 7041944896
2 changed files with 8 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
drivers/net/wireless/ath/wil6210/cfg80211.c
View file

@ -960,6 +960,9 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
wil_hex_dump_misc("mgmt tx frame ", DUMP_PREFIX_OFFSET, 16, 1, buf,
len, true);
if (len < sizeof(struct ieee80211_mgmt))
return -EINVAL;
cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);
if (!cmd) {
rc = -ENOMEM;

6
drivers/net/wireless/ath/wil6210/debugfs.c
View file

@ -805,8 +805,12 @@ static ssize_t wil_write_file_txmgmt(struct file *file, const char __user *buf,
struct wireless_dev *wdev = wil_to_wdev(wil);
struct cfg80211_mgmt_tx_params params;
int rc;
void *frame = kmalloc(len, GFP_KERNEL);
void *frame;
if (!len)
return -EINVAL;
frame = kmalloc(len, GFP_KERNEL);
if (!frame)
return -ENOMEM;