Return-path: Received: from sabertooth01.qualcomm.com ([65.197.215.72]:32235 "EHLO sabertooth01.qualcomm.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752546AbdGaQcl (ORCPT ); Mon, 31 Jul 2017 12:32:41 -0400 Cc: Hamad Kadmany , linux-wireless@vger.kernel.org, wil6210@qca.qualcomm.com, Maya Erez , Lior David From: Maya Erez To: Kalle Valo Subject: [PATCH 01/10] wil6210: protect against invalid length of tx management frame Date: Mon, 31 Jul 2017 19:32:24 +0300 Message-Id: <1501518753-6339-2-git-send-email-qca_merez@qca.qualcomm.com> (sfid-20170731_183306_312786_12C3054B) In-Reply-To: <1501518753-6339-1-git-send-email-qca_merez@qca.qualcomm.com> References: <1501518753-6339-1-git-send-email-qca_merez@qca.qualcomm.com> Sender: linux-wireless-owner@vger.kernel.org List-ID: From: Hamad Kadmany Validate buffer length has the minimum needed size when sending management frame to protect against possible buffer overrun. Signed-off-by: Hamad Kadmany Signed-off-by: Lior David Signed-off-by: Maya Erez --- drivers/net/wireless/ath/wil6210/cfg80211.c | 3 +++ drivers/net/wireless/ath/wil6210/debugfs.c | 3 +++ 2 files changed, 6 insertions(+) diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c index 0b5383a..77af749 100644 --- a/drivers/net/wireless/ath/wil6210/cfg80211.c +++ b/drivers/net/wireless/ath/wil6210/cfg80211.c @@ -884,6 +884,9 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, wil_hex_dump_misc("mgmt tx frame ", DUMP_PREFIX_OFFSET, 16, 1, buf, len, true); + if (len < sizeof(struct ieee80211_hdr_3addr)) + return -EINVAL; + cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL); if (!cmd) { rc = -ENOMEM; diff --git a/drivers/net/wireless/ath/wil6210/debugfs.c b/drivers/net/wireless/ath/wil6210/debugfs.c index f82506d..a2b5d59 100644 --- a/drivers/net/wireless/ath/wil6210/debugfs.c +++ b/drivers/net/wireless/ath/wil6210/debugfs.c @@ -801,6 +801,9 @@ static ssize_t wil_write_file_txmgmt(struct file *file, const char __user *buf, int rc; void *frame; + if (!len) + return -EINVAL; + frame = memdup_user(buf, len); if (IS_ERR(frame)) return PTR_ERR(frame); -- 1.9.1