Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 63791ccd authored by Bing Zhao's avatar Bing Zhao Committed by John W. Linville
Browse files

mwifiex: fix potential buffer overflow in dt configuration 



If cfgdata length exceeds the command buffer size we will end up
getting buffer overflow problem. Fix it by checking the buffer
size less the command header length.

Reviewed-by: default avatarPaul Stewart <pstew@chromium.org>
Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 1cbbcb08

drivers/net/wireless/mwifiex/sta_cmd.c

+3 −2
Original line number Diff line number Diff line
@@ -1170,8 +1170,9 @@ int mwifiex_dnld_dt_cfgdata(struct mwifiex_private *priv, 
		    strncmp(prop->name, prefix, len))

			continue;



		/* property header is 6 bytes */

		if (prop && prop->value && prop->length > 6) {

		/* property header is 6 bytes, data must fit in cmd buffer */

		if (prop && prop->value && prop->length > 6 &&

		    prop->length <= MWIFIEX_SIZE_OF_CMD_BUFFER - S_DS_GEN) {

			ret = mwifiex_send_cmd_sync(priv, HostCmd_CMD_CFG_DATA,

						    HostCmd_ACT_GEN_SET, 0,

						    prop);