qcacld-3.0: Prevent possible OOB access in hdd_sendactionframe

In the function hdd_sendactionframe, the parameters passed include the
payload and the corresponding payload length; payload being generic
pointer. The payload is then typecasted into the destination structure
of type tpSirMacVendorSpecificFrameHdr. If the size of the payload
specified in payload_len is less than the size of the destination
structure, there is possiblility of OOB read while accessing the same.

To prevent this security vulnerability, add a sanity check for the
payload_len against the size of the destination structure.

Change-Id: Ib0e7b7bfcf78412d81f18cf887e5296d80272598
CRs-Fixed: 2517858

0 files changed, 0 insertions, 0 deletions