ath10k: fix the potential buffer overflow in wow offload (5b0ed3b7) · Commits · e / devices / android_kernel_sony_msm8998

drivers/net/wireless/ath/ath10k/wmi-tlv.c

+10 −9

Original line number	Original line	Diff line number	Diff line
	@@ -3025,8 +3025,8 @@ ath10k_wmi_tlv_op_gen_set_arp_ns_offload(struct ath10k *ar,
	void *ptr;		void *ptr;
	int i;		int i;
	struct wmi_ns_arp_offload_req *arp = &arvif->arp_offload;		struct wmi_ns_arp_offload_req *arp = &arvif->arp_offload;
	struct wmi_ns_offload *ns_tuple[WMI_MAX_NS_OFFLOADS];		struct wmi_ns_offload *ns_tuple;
	struct wmi_arp_offload *arp_tuple[WMI_MAX_ARP_OFFLOADS];		struct wmi_arp_offload *arp_tuple;

	len = sizeof(cmd) + sizeof(tlv) +		len = sizeof(cmd) + sizeof(tlv) +
	sizeof(tlv) + WMI_MAX_NS_OFFLOADS		sizeof(tlv) + WMI_MAX_NS_OFFLOADS
	@@ -3057,8 +3057,8 @@ ath10k_wmi_tlv_op_gen_set_arp_ns_offload(struct ath10k *ar,
	for (i = 0; i < WMI_MAX_NS_OFFLOADS; i++) {		for (i = 0; i < WMI_MAX_NS_OFFLOADS; i++) {
	tlv->tag = __cpu_to_le16(WMI_TLV_TAG_STRUCT_NS_OFFLOAD_TUPLE);		tlv->tag = __cpu_to_le16(WMI_TLV_TAG_STRUCT_NS_OFFLOAD_TUPLE);
	tlv->len = __cpu_to_le16(sizeof(struct wmi_ns_offload));		tlv->len = __cpu_to_le16(sizeof(struct wmi_ns_offload));
	ns_tuple[i] = (struct wmi_ns_offload *)tlv->value;		ns_tuple = (struct wmi_ns_offload *)tlv->value;
	ns_tuple[i]->flags \|= __cpu_to_le32(WMI_ARP_NS_OFFLOAD_DISABLE);		ns_tuple->flags \|= __cpu_to_le32(WMI_ARP_NS_OFFLOAD_DISABLE);
	ptr += (sizeof(*tlv) + sizeof(struct wmi_ns_offload));		ptr += (sizeof(*tlv) + sizeof(struct wmi_ns_offload));
	tlv = ptr;		tlv = ptr;
	}		}
	@@ -3072,14 +3072,15 @@ ath10k_wmi_tlv_op_gen_set_arp_ns_offload(struct ath10k *ar,
	for (i = 0; i < WMI_MAX_ARP_OFFLOADS; i++) {		for (i = 0; i < WMI_MAX_ARP_OFFLOADS; i++) {
	tlv->tag = __cpu_to_le16(WMI_TLV_TAG_STRUCT_ARP_OFFLOAD_TUPLE);		tlv->tag = __cpu_to_le16(WMI_TLV_TAG_STRUCT_ARP_OFFLOAD_TUPLE);
	tlv->len = __cpu_to_le16(sizeof(struct wmi_arp_offload));		tlv->len = __cpu_to_le16(sizeof(struct wmi_arp_offload));
	arp_tuple[i] = (struct wmi_arp_offload *)tlv->value;		arp_tuple = (struct wmi_arp_offload *)tlv->value;
	if (arp->enable_offload && (i == 0)) {		if (arp->enable_offload && (i == 0)) {
	arp_tuple[i]->flags \|=		arp_tuple->flags \|=
	__cpu_to_le32(WMI_ARPOFF_FLAGS_VALID);		__cpu_to_le32(WMI_ARPOFF_FLAGS_VALID);
	memcpy(&arp_tuple[i]->target_ipaddr,		memcpy(&arp_tuple->target_ipaddr,
	&arp->params.ipv4_addr, 4);		&arp->params.ipv4_addr,
			sizeof(arp_tuple->target_ipaddr));
	} else {		} else {
	arp_tuple[i]->flags \|=		arp_tuple->flags \|=
	__cpu_to_le32(WMI_ARP_NS_OFFLOAD_DISABLE);		__cpu_to_le32(WMI_ARP_NS_OFFLOAD_DISABLE);
	}		}
	ptr += (sizeof(*tlv) + sizeof(struct wmi_arp_offload));		ptr += (sizeof(*tlv) + sizeof(struct wmi_arp_offload));

drivers/net/wireless/ath/ath10k/wow.c

+3 −2

Original line number	Original line	Diff line number	Diff line
	@@ -251,7 +251,7 @@ ath10k_wow_fill_vdev_arp_offload_struct(struct ath10k_vif *arvif,
	arp->offload_type = __cpu_to_le16(WMI_IPV4_ARP_REPLY_OFFLOAD);		arp->offload_type = __cpu_to_le16(WMI_IPV4_ARP_REPLY_OFFLOAD);
	arp->enable_offload = __cpu_to_le16(WMI_ARP_NS_OFFLOAD_ENABLE);		arp->enable_offload = __cpu_to_le16(WMI_ARP_NS_OFFLOAD_ENABLE);
	for (ifa = in_dev->ifa_list; ifa; ifa = ifa->ifa_next) {		for (ifa = in_dev->ifa_list; ifa; ifa = ifa->ifa_next) {
	if (!strcmp(ifa->ifa_label, wdev->netdev->name)) {		if (!memcmp(ifa->ifa_label, wdev->netdev->name, IFNAMSIZ)) {
	offload_params_found = true;		offload_params_found = true;
	break;		break;
	}		}
	@@ -259,8 +259,9 @@ ath10k_wow_fill_vdev_arp_offload_struct(struct ath10k_vif *arvif,

	if (!offload_params_found)		if (!offload_params_found)
	return -ENODEV;		return -ENODEV;
			memcpy(&arp->params.ipv4_addr, &ifa->ifa_local,
			sizeof(arp->params.ipv4_addr));

	memcpy(&arp->params.ipv4_addr, &ifa->ifa_local, 4);
	return 0;		return 0;
	}		}