wil6210: protect against invalid length of tx management frame

Validate buffer length has the minimum needed size
when sending management frame to protect against
possible buffer overrun.

Signed-off-by: Hamad Kadmany <qca_hkadmany@qca.qualcomm.com>
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index 0b5383a62d4263f3615fccbee6708ff0f511b453..77af7492420df62e6121d8c16b499a0a57685c07 100644 (file)
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -884,6 +884,9 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
        wil_hex_dump_misc("mgmt tx frame ", DUMP_PREFIX_OFFSET, 16, 1, buf,
                          len, true);
 
+       if (len < sizeof(struct ieee80211_hdr_3addr))
+               return -EINVAL;
+
        cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);
        if (!cmd) {
                rc = -ENOMEM;

diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c
index f82506d276d316708f57389af6f8aa6257187887..a2b5d595aa1911cb0b9217f6a87336f8c30aab1c 100644 (file)
--- a/drivers/net/wireless/ath/wil6210/debugfs.c
+++ b/drivers/net/wireless/ath/wil6210/debugfs.c
@@ -801,6 +801,9 @@ static ssize_t wil_write_file_txmgmt(struct file *file, const char __user *buf,
        int rc;
        void *frame;
 
+       if (!len)
+               return -EINVAL;
+
        frame = memdup_user(buf, len);
        if (IS_ERR(frame))
                return PTR_ERR(frame);