wil6210: protect against invalid length of tx management frame

Validate buffer length has the minimum needed size when sending management frame to protect against possible buffer overrun. Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com> Signed-off-by: Lior David <qca_liord@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

wil6210: protect against invalid length of tx management frame
Validate buffer length has the minimum needed size when sending management frame to protect against possible buffer overrun. Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com> Signed-off-by: Lior David <qca_liord@qca.qualcomm.com> Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com> Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
6641525c · Hamad Kadmany · Kalle Valo · 3588e111 · 6641525c · 6641525c
Commit 6641525c authored Aug 08, 2017 by Hamad Kadmany Committed by Kalle Valo Aug 08, 2017
Showing with 6 additions and 0 deletions

drivers/net/wireless/ath/wil6210/cfg80211.c drivers/net/wireless/ath/wil6210/cfg80211.c +3 -0

drivers/net/wireless/ath/wil6210/debugfs.c drivers/net/wireless/ath/wil6210/debugfs.c +3 -0

No files found.
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -884,6 +884,9 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
 	wil_hex_dump_misc("mgmt tx frame ", DUMP_PREFIX_OFFSET, 16, 1, buf,
 			  len, true);

+	if (len < sizeof(struct ieee80211_hdr_3addr))
+		return -EINVAL;
+
 	cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);
 	if (!cmd) {
 		rc = -ENOMEM;

--- a/drivers/net/wireless/ath/wil6210/debugfs.c
+++ b/drivers/net/wireless/ath/wil6210/debugfs.c
@@ -801,6 +801,9 @@ static ssize_t wil_write_file_txmgmt(struct file *file, const char __user *buf,
 	int rc;
 	void *frame;

+	if (!len)
+		return -EINVAL;
+
 	frame = memdup_user(buf, len);
 	if (IS_ERR(frame))
 		return PTR_ERR(frame);