From: Avinash Patil <patila@marvell.com>
To: <linville@tuxdriver.com>
Cc: <linux-wireless@vger.kernel.org>, <akarwar@marvell.com>,
<huxm@marvell.com>, <yangyang@marvell.com>, <cluo@marvell.com>,
<maithili@marvell.com>, Avinash Patil <patila@marvell.com>
Subject: [PATCH 01/17] mwifiex: fix probable memory corruption while processing TDLS frame
Date: Mon, 1 Sep 2014 18:28:49 +0530 [thread overview]
Message-ID: <1409576345-13717-2-git-send-email-patila@marvell.com> (raw)
In-Reply-To: <1409576345-13717-1-git-send-email-patila@marvell.com>
Size of RSN IE buffer in driver is 254 while maximum size of received buffer
to be copied to RSN IE buffer can be 255. Add boundary check to copy maximum
of 254 bytes into RSN IE buffer.
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Avinash Patil <patila@marvell.com>
---
drivers/net/wireless/mwifiex/tdls.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mwifiex/tdls.c b/drivers/net/wireless/mwifiex/tdls.c
index 4c5fd95..e294907 100644
--- a/drivers/net/wireless/mwifiex/tdls.c
+++ b/drivers/net/wireless/mwifiex/tdls.c
@@ -871,7 +871,9 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
break;
case WLAN_EID_RSN:
memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
- sizeof(struct ieee_types_header) + pos[1]);
+ sizeof(struct ieee_types_header) +
+ min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
+ sizeof(struct ieee_types_header)));
break;
case WLAN_EID_QOS_CAPA:
sta_ptr->tdls_cap.qos_info = pos[2];
--
1.8.1.4
next prev parent reply other threads:[~2014-09-01 7:30 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-01 12:58 [PATCH 00/17] mwifiex updates for 3.17 Avinash Patil
2014-09-01 12:58 ` Avinash Patil [this message]
2014-09-01 12:58 ` [PATCH 02/17] mwifiex: avoid processing RX packets with invalid length Avinash Patil
2014-09-01 12:58 ` [PATCH 03/17] mwifiex: rework internal scan for association Avinash Patil
2014-09-01 12:58 ` [PATCH 04/17] mwifiex: support for event done interrupt Avinash Patil
2014-09-01 12:58 ` [PATCH 05/17] mwifiex: fix 5G association failure after leaving 2.4G IBSS Avinash Patil
2014-09-01 12:58 ` [PATCH 06/17] mwifiex: fix a bug in Tx multiport aggregation Avinash Patil
2014-09-01 12:58 ` [PATCH 07/17] mwifiex: minor cleanup in " Avinash Patil
2014-09-01 12:58 ` [PATCH 08/17] mwifiex: fix left_len calculation issue Avinash Patil
2014-09-01 12:58 ` [PATCH 09/17] mwifiex: rename macro and variables related to API revision Avinash Patil
2014-09-01 12:58 ` [PATCH 10/17] mwifiex: use firmware API revision from GET_HW_SPEC response Avinash Patil
2014-09-01 12:58 ` [PATCH 11/17] mwifiex: set passive scan type for scan requests with no ssid Avinash Patil
2014-09-01 12:59 ` [PATCH 12/17] mwifiex: bring in scan channel gap feature Avinash Patil
2014-09-01 12:59 ` [PATCH 13/17] mwifiex: remove restriction of single channel scan when connected Avinash Patil
2014-09-01 12:59 ` [PATCH 14/17] mwifiex: process TX even when scan is ongoing Avinash Patil
2014-09-01 12:59 ` [PATCH 15/17] mwifiex: remove redundant variable report_scan_result Avinash Patil
2014-09-01 12:59 ` [PATCH 16/17] mwifiex: remove low priority scan handling Avinash Patil
2014-09-01 12:59 ` [PATCH 17/17] mwifiex: add rx workqueue support Avinash Patil
2014-09-04 3:47 ` James Cameron
2014-09-05 8:08 ` Avinash Patil
2014-09-04 17:15 ` [PATCH 00/17] mwifiex updates for 3.17 John W. Linville
2014-09-04 17:22 ` Avinash Patil
2014-09-09 17:10 ` Avinash Patil
2014-09-09 18:25 ` John W. Linville
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1409576345-13717-2-git-send-email-patila@marvell.com \
--to=patila@marvell.com \
--cc=akarwar@marvell.com \
--cc=cluo@marvell.com \
--cc=huxm@marvell.com \
--cc=linux-wireless@vger.kernel.org \
--cc=linville@tuxdriver.com \
--cc=maithili@marvell.com \
--cc=yangyang@marvell.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.