From 847482ff8ecc642d54d0a4f0d4cca14a54c8f124 Mon Sep 17 00:00:00 2001 From: Rakesh Pillai Date: Tue, 16 May 2017 19:49:49 +0530 Subject: [PATCH] qcacmn: Fix buffer overflow when radiotap header is larger than available headroom The condition which detects if the length of the radiotap header is greater than the available headroom in the skb is incorrect. Correction to check if sufficient headroom is available for updating the radiotap header. Change-Id: I71c140c6af415678efe66cff2f16b8cabc62697a CRs-Fixed: 2047909 --- qdf/linux/src/qdf_nbuf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/qdf/linux/src/qdf_nbuf.c b/qdf/linux/src/qdf_nbuf.c index 99141596dd..92e67aca4b 100644 --- a/qdf/linux/src/qdf_nbuf.c +++ b/qdf/linux/src/qdf_nbuf.c @@ -2748,7 +2748,7 @@ unsigned int qdf_nbuf_update_radiotap(struct mon_rx_status *rx_status, } rthdr->it_len = cpu_to_le16(rtap_len); - if ((headroom_sz - rtap_len) < 0) { + if (headroom_sz < rtap_len) { qdf_print("ERROR: not enough space to update radiotap\n"); return 0; }