diff options
| author | Lior David <qca_liord@qca.qualcomm.com> | 2017-11-14 15:25:39 +0200 |
|---|---|---|
| committer | Ben Hutchings <ben@decadent.org.uk> | 2018-12-16 22:09:44 +0000 |
| commit | 921c1539170bf690cad59b3dbebf7d46843d28e2 (patch) | |
| tree | 321876f959e1c2bedc48d403ba403034c8b132ab | |
| parent | bfe535bf4ab73e41922c7a58d6a858a2c435ff29 (diff) | |
| download | linux-stable-921c1539170bf690cad59b3dbebf7d46843d28e2.tar.gz | |
wil6210: missing length check in wmi_set_ie
commit b5a8ffcae4103a9d823ea3aa3a761f65779fbe2a upstream.
Add a length check in wmi_set_ie to detect unsigned integer
overflow.
Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>
[bwh: Backported to 3.16: return directly rather than via "out" label]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
| -rw-r--r-- | drivers/net/wireless/ath/wil6210/wmi.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c index 6cc0e182cc70..94ecece55431 100644 --- a/drivers/net/wireless/ath/wil6210/wmi.c +++ b/drivers/net/wireless/ath/wil6210/wmi.c @@ -958,7 +958,12 @@ int wmi_set_ie(struct wil6210_priv *wil, u8 type, u16 ie_len, const void *ie) { int rc; u16 len = sizeof(struct wmi_set_appie_cmd) + ie_len; - struct wmi_set_appie_cmd *cmd = kzalloc(len, GFP_KERNEL); + struct wmi_set_appie_cmd *cmd; + + if (len < ie_len) + return -EINVAL; + + cmd = kzalloc(len, GFP_KERNEL); if (!cmd) return -ENOMEM; |