From 6641525ce40ef45641c8f43bb19cd4e471e4cb75 Mon Sep 17 00:00:00 2001
From: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
Date: Tue, 8 Aug 2017 14:16:40 +0300
Subject: wil6210: protect against invalid length of tx management frame

Validate buffer length has the minimum needed size
when sending management frame to protect against
possible buffer overrun.

Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
---
 drivers/net/wireless/ath/wil6210/cfg80211.c | 3 +++
 1 file changed, 3 insertions(+)

(limited to 'drivers/net/wireless/ath/wil6210/cfg80211.c')

diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index 0b5383a62d42..77af7492420d 100644
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -884,6 +884,9 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
 	wil_hex_dump_misc("mgmt tx frame ", DUMP_PREFIX_OFFSET, 16, 1, buf,
 			  len, true);
 
+	if (len < sizeof(struct ieee80211_hdr_3addr))
+		return -EINVAL;
+
 	cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);
 	if (!cmd) {
 		rc = -ENOMEM;
-- 
cgit v1.2.3