OSDN Git Service
(root)
/
sagit-ice-cold
/
kernel_xiaomi_msm8998.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
mwifiex: Fix possible buffer overflows in mwifiex_cmd_append_vsie_tlv()
[sagit-ice-cold/kernel_xiaomi_msm8998.git]
/
drivers
/
net
/
wireless
/
mwifiex
/
scan.c
diff --git
a/drivers/net/wireless/mwifiex/scan.c
b/drivers/net/wireless/mwifiex/scan.c
index
39b78dc
..
e7c8972
100644
(file)
--- a/
drivers/net/wireless/mwifiex/scan.c
+++ b/
drivers/net/wireless/mwifiex/scan.c
@@
-2568,6
+2568,13
@@
mwifiex_cmd_append_vsie_tlv(struct mwifiex_private *priv,
vs_param_set->header.len =
cpu_to_le16((((u16) priv->vs_ie[id].ie[1])
& 0x00FF) + 2);
vs_param_set->header.len =
cpu_to_le16((((u16) priv->vs_ie[id].ie[1])
& 0x00FF) + 2);
+ if (le16_to_cpu(vs_param_set->header.len) >
+ MWIFIEX_MAX_VSIE_LEN) {
+ mwifiex_dbg(priv->adapter, ERROR,
+ "Invalid param length!\n");
+ break;
+ }
+
memcpy(vs_param_set->ie, priv->vs_ie[id].ie,
le16_to_cpu(vs_param_set->header.len));
*buffer += le16_to_cpu(vs_param_set->header.len) +
memcpy(vs_param_set->ie, priv->vs_ie[id].ie,
le16_to_cpu(vs_param_set->header.len));
*buffer += le16_to_cpu(vs_param_set->header.len) +