diff options
author | Dan Carpenter <dan.carpenter@oracle.com> | 2019-10-17 12:18:32 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-24 23:17:17 -0400 |
commit | d59dc92f1bccd5acde793aebdbb4f7121cf3f9af (patch) | |
tree | 8033ae682f4e3222e0a427679eea2041f1cd4edf /drivers/staging/wilc1000 | |
parent | bfc0a0935aa4d74cd37d0b5e013ec6c4aa827a2d (diff) |
staging: wilc1000: potential corruption in wilc_parse_join_bss_param()
The "rates_len" value needs to be capped so that the memcpy() doesn't
copy beyond the end of the array.
Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Adham Abozaeid <adham.abozaeid@microchip.com>
Link: https://lore.kernel.org/r/20191017091832.GB31278@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'drivers/staging/wilc1000')
-rw-r--r-- | drivers/staging/wilc1000/wilc_hif.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/staging/wilc1000/wilc_hif.c b/drivers/staging/wilc1000/wilc_hif.c index 0ac2b6ac50b0..e0a95c5cc0d5 100644 --- a/drivers/staging/wilc1000/wilc_hif.c +++ b/drivers/staging/wilc1000/wilc_hif.c @@ -479,6 +479,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies->data, ies->len); if (rates_ie) { rates_len = rates_ie[1]; + if (rates_len > WILC_MAX_RATES_SUPPORTED) + rates_len = WILC_MAX_RATES_SUPPORTED; param->supp_rates[0] = rates_len; memcpy(¶m->supp_rates[1], rates_ie + 2, rates_len); } |