From e3355ebff03fafb3cb1759ca82721123b4c5e5fc Mon Sep 17 00:00:00 2001
From: Zhao Xuewen <zhaoxuewen@huawei.com>
Date: Fri, 8 Apr 2016 10:46:26 +0800
Subject: [PATCH] net: wireless: bcmdhd: check packet length for event messages

Check the datalen field is less than the size of
packet received from the network.

Bug: 25306181

Signed-off-by: Patrick Tjin <pattjin@google.com>
Change-Id: I3b021d88a95bd7d4e6e0d745d2527d73487bcadc
---
 drivers/net/wireless/bcmdhd/dhd_common.c | 6 ++++++
 drivers/net/wireless/bcmdhd/dhd_linux.c  | 2 +-
 2 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/bcmdhd/dhd_common.c b/drivers/net/wireless/bcmdhd/dhd_common.c
index d6f31a977577..01cc8be004f7 100644
--- a/drivers/net/wireless/bcmdhd/dhd_common.c
+++ b/drivers/net/wireless/bcmdhd/dhd_common.c
@@ -1614,6 +1614,9 @@ wl_host_event(dhd_pub_t *dhd_pub, int *ifidx, void *pktdata, size_t pktlen,
 		return (BCME_ERROR);
 	}
 
+	if (pktlen < sizeof(bcm_event_t))
+		return (BCME_ERROR);
+
 	*data_ptr = &pvt_data[1];
 	event_data = *data_ptr;
 
@@ -1625,6 +1628,9 @@ wl_host_event(dhd_pub_t *dhd_pub, int *ifidx, void *pktdata, size_t pktlen,
 	flags = ntoh16_ua((void *)&event->flags);
 	status = ntoh32_ua((void *)&event->status);
 	datalen = ntoh32_ua((void *)&event->datalen);
+	if (datalen > pktlen)
+		return (BCME_ERROR);
+
 	evlen = datalen + sizeof(bcm_event_t);
 	if (evlen > pktlen) {
 		return (BCME_ERROR);
diff --git a/drivers/net/wireless/bcmdhd/dhd_linux.c b/drivers/net/wireless/bcmdhd/dhd_linux.c
index d55ff65c7133..74e3ed9941a6 100644
--- a/drivers/net/wireless/bcmdhd/dhd_linux.c
+++ b/drivers/net/wireless/bcmdhd/dhd_linux.c
@@ -2771,7 +2771,7 @@ dhd_rx_frame(dhd_pub_t *dhdp, int ifidx, void *pktbuf, int numpkt, uint8 chan)
 #else
 			skb->mac.raw,
 #endif /* LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 22) */
-			len,
+			len - 2,
 			&event,
 			&data);
 
-- 
GitLab