update kernel to 5.10.198

hc

2024-01-03 2f7c68cb55ecb7331f2381deb497c27155f32faf

 kernel/drivers/net/wireless/marvell/mwifiex/util.c
..
..
@@ -405,11 +405,15 @@
405
405
 	}
406
406
 
407
407
 	rx_pd = (struct rxpd *)skb->data;
408
+	pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
409
+	if (pkt_len < sizeof(struct ieee80211_hdr) + sizeof(pkt_len)) {
410
+		mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length");
411
+		return -1;
412
+	}
408
413
 
409
414
 	skb_pull(skb, le16_to_cpu(rx_pd->rx_pkt_offset));
410
415
 	skb_pull(skb, sizeof(pkt_len));
411
-
412
-	pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
416
+	pkt_len -= sizeof(pkt_len);
413
417
 
414
418
 	ieee_hdr = (void *)skb->data;
415
419
 	if (ieee80211_is_mgmt(ieee_hdr->frame_control)) {
..
..
@@ -422,7 +426,7 @@
422
426
 		skb->data + sizeof(struct ieee80211_hdr),
423
427
 		pkt_len - sizeof(struct ieee80211_hdr));
424
428
 
425
-	pkt_len -= ETH_ALEN + sizeof(pkt_len);
429
+	pkt_len -= ETH_ALEN;
426
430
 	rx_pd->rx_pkt_length = cpu_to_le16(pkt_len);
427
431
 
428
432
 	cfg80211_rx_mgmt(&priv->wdev, priv->roc_cfg.chan.center_freq,