diff options
| author |  Bing Zhao <bzhao@marvell.com>
| 2014-01-08 15:45:56 -0800 |
|---|---|---|
| committer |  John W. Linville <linville@tuxdriver.com>
| 2014-01-09 10:56:40 -0500 |
| commit | 63791ccd4690e5c6b3f060bcd2b846e31bd0b423 (patch) | |
| tree | ae3353022595d1dcffb30641aa9e6f60139c4f5f /drivers | |
| parent | wil6210: prefetch head of packet (diff) | |
| download | linux-63791ccd4690e5c6b3f060bcd2b846e31bd0b423.tar.gz linux-63791ccd4690e5c6b3f060bcd2b846e31bd0b423.tar.bz2 linux-63791ccd4690e5c6b3f060bcd2b846e31bd0b423.zip | |
mwifiex: fix potential buffer overflow in dt configuration
If cfgdata length exceeds the command buffer size we will end up
getting buffer overflow problem. Fix it by checking the buffer
size less the command header length.
Reviewed-by: Paul Stewart <pstew@chromium.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers')
| -rw-r--r-- | drivers/net/wireless/mwifiex/sta_cmd.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/drivers/net/wireless/mwifiex/sta_cmd.c b/drivers/net/wireless/mwifiex/sta_cmd.c index 9c2404cd755f..9208a8816b80 100644 --- a/drivers/net/wireless/mwifiex/sta_cmd.c +++ b/drivers/net/wireless/mwifiex/sta_cmd.c @@ -1170,8 +1170,9 @@ int mwifiex_dnld_dt_cfgdata(struct mwifiex_private *priv, strncmp(prop->name, prefix, len)) continue; - /* property header is 6 bytes */ - if (prop && prop->value && prop->length > 6) { + /* property header is 6 bytes, data must fit in cmd buffer */ + if (prop && prop->value && prop->length > 6 && + prop->length <= MWIFIEX_SIZE_OF_CMD_BUFFER - S_DS_GEN) { ret = mwifiex_send_cmd_sync(priv, HostCmd_CMD_CFG_DATA, HostCmd_ACT_GEN_SET, 0, prop); |