> diff --git a/drivers/net/wireless/marvell/mwifiex/util.c b/drivers/net/wireless/marvell/mwifiex/util.c
> index 94c2d219835d..31e1a82883e4 100644
> --- a/drivers/net/wireless/marvell/mwifiex/util.c
> +++ b/drivers/net/wireless/marvell/mwifiex/util.c
> @@ -399,6 +399,11 @@ mwifiex_process_mgmt_packet(struct mwifiex_private *priv,
>
> pkt_len = le16_to_cpu(rx_pd->rx_pkt_length);
>
> + if (pkt_len < sizeof(struct ieee80211_hdr) || skb->len < pkt_len) {
I've tested this patch a bit on a ChromeOS device and I've noticed
empirically that skb->len is often (always?) two less than pkt_len,
implying that pkt_len actually includes the rx_pkt_length field as
well (note that pkt_len gets adjusted by ETH_ALEN + sizeof(pkt_len)
below), so we end up hitting this condition reliably in certain
situations. This probably means the memmove below is not entirely
correct, but either way I don't think this patch is correct on its
own.
Consider my Reviewed-by tag removed until this gets resolved.
> + mwifiex_dbg(priv->adapter, ERROR, "invalid rx_pkt_length");
> + return -1;
> + }
> +
> ieee_hdr = (void *)skb->data;
> if (ieee80211_is_mgmt(ieee_hdr->frame_control)) {
> if (mwifiex_parse_mgmt_packet(priv, (u8 *)ieee_hdr,
> --
