qcacld-2.0: Validate netlink packet length

While processing netlink packet(logger app), packet length
is validated incorrectly, leading packets to drop without
processing.

Validate netlink packet lenght properly, by checking whole
(including header) netlink packet size with skb's len.

Change-Id: Ia6fc1a4c090084ad197ae198404c9083d0acb8e4
CRs-Fixed: 1075397

1 files changed, 7 insertions, 5 deletions

diff --git a/CORE/SVC/src/logging/wlan_logging_sock_svc.c b/CORE/SVC/src/logging/wlan_logging_sock_svc.c
index 6e20a850950c..56d1b92ddc3b 100644
--- a/CORE/SVC/src/logging/wlan_logging_sock_svc.c
+++ b/CORE/SVC/src/logging/wlan_logging_sock_svc.c
@@ -189,7 +189,7 @@ static int wlan_send_sock_msg_to_app(tAniHdr *wmsg, int radio,
 	tAniNlHdr *wnl = NULL;
 	struct sk_buff *skb;
 	struct nlmsghdr *nlh;
-	int wmsg_length = wmsg->length;
+	int wmsg_length = ntohs(wmsg->length);
 	static int nlmsg_seq;
 
 	if (radio < 0 || radio > ANI_MAX_RADIOS) {
@@ -818,7 +818,7 @@ static int wlan_logging_proc_sock_rx_msg(struct sk_buff *skb)
 	tAniNlHdr *wnl;
 	int radio;
 	int type;
-	int ret;
+	int ret, len;
 
 	wnl = (tAniNlHdr *) skb->data;
 	radio = wnl->radio;
@@ -831,10 +831,12 @@ static int wlan_logging_proc_sock_rx_msg(struct sk_buff *skb)
 		return -EINVAL;
 	}
 
-	if (wnl->wmsg.length > skb->data_len) {
+	len = ntohs(wnl->wmsg.length) + sizeof(tAniNlHdr);
+	if (len > skb_headlen(skb)) {
 		LOGGING_TRACE(VOS_TRACE_LEVEL_ERROR,
-			"%s: invalid length msgLen:%x skb data_len:%x\n",
-			__func__, wnl->wmsg.length, skb->data_len);
+			"%s: invalid length, msgLen:%x skb len:%x headLen: %d data_len: %d",
+			__func__, len, skb->len, skb_headlen(skb),
+			skb->data_len);
 		return -EINVAL;
 	}