Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a7ed7828 authored by Hante Meuleman's avatar Hante Meuleman Committed by Kalle Valo
Browse files

brcmfmac: fix out of bound access on clearing wowl wake indicator 



Clearing the wowl wakeindicator happens with a rather odd
construction where the string "clear" is used to set the iovar
wowl_wakeind. This was implemented incorrectly as it caused an
out of bound access. Use an intermediate variable of correct
length and copy string in that. Problem was found using coverity.

Reviewed-by: default avatarArend Van Spriel <arend.vanspriel@broadcom.com>
Reviewed-by: default avatarFranky Lin <franky.lin@broadcom.com>
Reviewed-by: default avatarPieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: default avatarHante Meuleman <hante.meuleman@broadcom.com>
Signed-off-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
parent 2b7425f3

drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

+4 −2
Original line number Diff line number Diff line
@@ -3703,6 +3703,7 @@ static void brcmf_configure_wowl(struct brcmf_cfg80211_info *cfg, 
				 struct cfg80211_wowlan *wowl)

{

	u32 wowl_config;

	struct brcmf_wowl_wakeind_le wowl_wakeind;

	u32 i;



	brcmf_dbg(TRACE, "Suspend, wowl config.\n");
@@ -3744,8 +3745,9 @@ static void brcmf_configure_wowl(struct brcmf_cfg80211_info *cfg, 
	if (!test_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state))

		wowl_config |= BRCMF_WOWL_UNASSOC;



	brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", "clear",

				 sizeof(struct brcmf_wowl_wakeind_le));

	memcpy(&wowl_wakeind, "clear", 6);

	brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", &wowl_wakeind,

				 sizeof(wowl_wakeind));

	brcmf_fil_iovar_int_set(ifp, "wowl", wowl_config);

	brcmf_fil_iovar_int_set(ifp, "wowl_activate", 1);

	brcmf_bus_wowl_config(cfg->pub->bus_if, true);