diff options
| -rw-r--r-- | core/mac/src/pe/lim/lim_process_auth_frame.c | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/core/mac/src/pe/lim/lim_process_auth_frame.c b/core/mac/src/pe/lim/lim_process_auth_frame.c index 1b370aef0cf0..8948bda446af 100644 --- a/core/mac/src/pe/lim/lim_process_auth_frame.c +++ b/core/mac/src/pe/lim/lim_process_auth_frame.c @@ -1176,6 +1176,10 @@ lim_process_auth_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info, body_ptr = WMA_GET_RX_MPDU_DATA(rx_pkt_info); + if (frame_len < 2) { + pe_err("invalid frame len: %d", frame_len); + return; + } auth_alg = *(uint16_t *) body_ptr; pe_debug("auth_alg %d ", auth_alg); @@ -1224,6 +1228,11 @@ lim_process_auth_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info, mac_hdr->sa, pe_session, false); goto free; } + + if (frame_len < 4) { + pe_err("invalid frame len: %d", frame_len); + goto free; + } /* Extract key ID from IV (most 2 bits of 4th byte of IV) */ key_id = (*(body_ptr + 3)) >> 6; |