Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 81bb6a8c authored by Alexei Avshalom Lazar's avatar Alexei Avshalom Lazar Committed by Lior David
Browse files

wil6210: check null pointer in _wil_cfg80211_merge_extra_ies 



ies1 or ies2 might be null when code inside
_wil_cfg80211_merge_extra_ies access them.
Add explicit check for null and make sure ies1/ies2 are not
accessed in such a case.

Change-Id: I14908fcac0e1fc8e02e9460a86cc8e5edebb4192
Signed-off-by: default avatarAlexei Avshalom Lazar <ailizaro@codeaurora.org>
Signed-off-by: default avatarLior David <liord@codeaurora.org>
parent c1f8c113

drivers/net/wireless/ath/wil6210/cfg80211.c

+10 −2
Original line number Diff line number Diff line
@@ -1841,6 +1841,12 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len, 
	u8 *buf, *dpos;

	const u8 *spos;



	if (!ies1)

		ies1_len = 0;



	if (!ies2)

		ies2_len = 0;



	if (ies1_len == 0 && ies2_len == 0) {

		*merged_ies = NULL;

		*merged_len = 0;
@@ -1850,6 +1856,7 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len, 
	buf = kmalloc(ies1_len + ies2_len, GFP_KERNEL);

	if (!buf)

		return -ENOMEM;

	if (ies1)

		memcpy(buf, ies1, ies1_len);

	dpos = buf + ies1_len;

	spos = ies2;
@@ -1860,7 +1867,8 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len, 
		if (spos + ielen > ies2 + ies2_len)

			break;

		if (spos[0] == WLAN_EID_VENDOR_SPECIFIC &&

		    !_wil_cfg80211_find_ie(ies1, ies1_len, spos, ielen)) {

		    (!ies1 || !_wil_cfg80211_find_ie(ies1, ies1_len,

						     spos, ielen))) {

			memcpy(dpos, spos, ielen);

			dpos += ielen;

		}