* [PATCH] staging: wilc1000: potential corruption in wilc_parse_join_bss_param()
@ 2019-10-17 9:18 Dan Carpenter
2019-10-17 17:06 ` Adham.Abozaeid
0 siblings, 1 reply; 2+ messages in thread
From: Dan Carpenter @ 2019-10-17 9:18 UTC (permalink / raw)
To: Adham Abozaeid
Cc: devel, Greg Kroah-Hartman, Ajay Singh, kernel-janitors, linux-wireless
The "rates_len" value needs to be capped so that the memcpy() doesn't
copy beyond the end of the array.
Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
---
drivers/staging/wilc1000/wilc_hif.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/staging/wilc1000/wilc_hif.c b/drivers/staging/wilc1000/wilc_hif.c
index 0ac2b6ac50b0..e0a95c5cc0d5 100644
--- a/drivers/staging/wilc1000/wilc_hif.c
+++ b/drivers/staging/wilc1000/wilc_hif.c
@@ -479,6 +479,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies->data, ies->len);
if (rates_ie) {
rates_len = rates_ie[1];
+ if (rates_len > WILC_MAX_RATES_SUPPORTED)
+ rates_len = WILC_MAX_RATES_SUPPORTED;
param->supp_rates[0] = rates_len;
memcpy(¶m->supp_rates[1], rates_ie + 2, rates_len);
}
--
2.20.1
_______________________________________________
devel mailing list
devel@linuxdriverproject.org
http://driverdev.linuxdriverproject.org/mailman/listinfo/driverdev-devel
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-10-17 17:06 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-17 9:18 [PATCH] staging: wilc1000: potential corruption in wilc_parse_join_bss_param() Dan Carpenter
2019-10-17 17:06 ` Adham.Abozaeid
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).