Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit bdbc7ef3 authored by Denis Efremov (Oracle)'s avatar Denis Efremov (Oracle) Committed by Greg Kroah-Hartman
Browse files

staging: rtl8723bs: prevent ->Ssid overflow in rtw_wx_set_scan() 



This code has a check to prevent read overflow but it needs another
check to prevent writing beyond the end of the ->Ssid[] array.

Fixes: 554c0a3a ("staging: Add rtl8723bs sdio wifi driver")
Cc: stable <stable@vger.kernel.org>
Signed-off-by: default avatarDenis Efremov (Oracle) <efremov@linux.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 4f075083

drivers/staging/rtl8723bs/os_dep/ioctl_linux.c

+4 −2
Original line number Original line Diff line number Diff line
@@ -1351,9 +1351,11 @@ static int rtw_wx_set_scan(struct net_device *dev, struct iw_request_info *a, 




					sec_len = *(pos++); len-= 1;

					sec_len = *(pos++); len-= 1;





					if (sec_len>0 && sec_len<=len) {

					if (sec_len > 0 &&

					    sec_len <= len &&

					    sec_len <= 32) {

						ssid[ssid_index].SsidLength = sec_len;

						ssid[ssid_index].SsidLength = sec_len;

						memcpy(ssid[ssid_index].Ssid, pos, ssid[ssid_index].SsidLength);

						memcpy(ssid[ssid_index].Ssid, pos, sec_len);

						/* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */

						/* DBG_871X("%s COMBO_SCAN with specific ssid:%s, %d\n", __func__ */

						/* 	, ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */

						/* 	, ssid[ssid_index].Ssid, ssid[ssid_index].SsidLength); */

						ssid_index++;

						ssid_index++;