qcacld-3.0: Add sanity check to limit mgmt frames data len

Currently the mpdu_data_len in Rx pkt meta is not checked for
upper bound in wma_form_rx_packet.

Add sanity check to drop the packet if mpdu_data_len is
greater than 2000 bytes. Also add upper bound check for
frame_len in lim_process_auth_frame function.

Change-Id: I7ab454045e2f6d278351dcabde6da556f9f741e0
CRs-Fixed: 2093392

core/mac/src/pe/lim/lim_process_auth_frame.c

@@ -1196,7 +1196,8 @@ lim_process_auth_frame(tpAniSirGlobal mac_ctx, uint8_t *rx_pkt_info,
 			goto free;
 		}
 
-		if (frame_len < LIM_ENCR_AUTH_BODY_LEN_SAP) {
+		if ((frame_len < LIM_ENCR_AUTH_BODY_LEN_SAP) ||
+		    (frame_len > LIM_ENCR_AUTH_BODY_LEN)) {
 			/* Log error */
 			pe_err("Not enough size: %d to decry rx Auth frm",
 				frame_len);

core/wma/inc/wma.h

@@ -90,6 +90,8 @@
 #endif
 #define WMA_MAX_SUPPORTED_BSS     5
 
+#define WMA_MAX_MGMT_MPDU_LEN 2000
+
 #define FRAGMENT_SIZE 3072
 
 #define MAX_PRINT_FAILURE_CNT 50

core/wma/src/wma_mgmt.c

@@ -3547,6 +3547,18 @@ int wma_form_rx_packet(qdf_nbuf_t buf,
 
 	wh = (struct ieee80211_frame *)qdf_nbuf_data(buf);
 
+	/*
+	 * If the mpdu_data_len is greater than Max (2k), drop the frame
+	 */
+	if (rx_pkt->pkt_meta.mpdu_data_len > WMA_MAX_MGMT_MPDU_LEN) {
+		WMA_LOGE("Data Len %d greater than max, dropping frame from "MAC_ADDRESS_STR,
+			 rx_pkt->pkt_meta.mpdu_data_len,
+			 MAC_ADDR_ARRAY(wh->i_addr3));
+		qdf_nbuf_free(buf);
+		qdf_mem_free(rx_pkt);
+		return -EINVAL;
+	}
+
 	rx_pkt->pkt_meta.mpdu_hdr_ptr = qdf_nbuf_data(buf);
 	rx_pkt->pkt_meta.mpdu_data_ptr = rx_pkt->pkt_meta.mpdu_hdr_ptr +
 					 rx_pkt->pkt_meta.mpdu_hdr_len;