forked from ~ljy/RK356X_SDK_RELEASE
blame | history | patch | commit | commitdiff
hc
2024-10-22 8ac6c7a54ed1b98d142dce24b11c6de6a1e239a5 
 kernel/drivers/net/wireless/marvell/mwifiex/util.c
....@@ -405,11 +405,15 @@
405405 	}
406406 
407407 	rx_pd = (struct rxpd *)skb->data;
408
+	pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
409
+	if (pkt_len < sizeof(struct ieee80211_hdr) + sizeof(pkt_len)) {
410
+		mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length");
411
+		return -1;
412
+	}
408413 
409414 	skb_pull(skb, le16_to_cpu(rx_pd->rx_pkt_offset));
410415 	skb_pull(skb, sizeof(pkt_len));
411
-
412
-	pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
416
+	pkt_len -= sizeof(pkt_len);
413417 
414418 	ieee_hdr = (void *)skb->data;
415419 	if (ieee80211_is_mgmt(ieee_hdr->frame_control)) {
....@@ -422,7 +426,7 @@
422426 		skb->data + sizeof(struct ieee80211_hdr),
423427 		pkt_len - sizeof(struct ieee80211_hdr));
424428 
425
-	pkt_len -= ETH_ALEN + sizeof(pkt_len);
429
+	pkt_len -= ETH_ALEN;
426430 	rx_pd->rx_pkt_length = cpu_to_le16(pkt_len);
427431 
428432 	cfg80211_rx_mgmt(&priv->wdev, priv->roc_cfg.chan.center_freq,