| From: Avinash Patil <patila@marvell.com> |
| Date: Fri, 12 Sep 2014 20:08:46 +0530 |
| Subject: mwifiex: fix probable memory corruption while processing TDLS frame |
| |
| commit 3c99832d74777c9ec5545a92450fac5d37b0d0e1 upstream. |
| |
| Size of RSN IE buffer in driver is 254 while maximum size of received buffer |
| to be copied to RSN IE buffer can be 255. Add boundary check to copy maximum |
| of 254 bytes into RSN IE buffer. |
| |
| Reported-by: Dan Carpenter <dan.carpenter@oracle.com> |
| Signed-off-by: Avinash Patil <patila@marvell.com> |
| Signed-off-by: John W. Linville <linville@tuxdriver.com> |
| Signed-off-by: Ben Hutchings <ben@decadent.org.uk> |
| --- |
| drivers/net/wireless/mwifiex/tdls.c | 4 +++- |
| 1 file changed, 3 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/net/wireless/mwifiex/tdls.c |
| +++ b/drivers/net/wireless/mwifiex/tdls.c |
| @@ -877,7 +877,9 @@ void mwifiex_process_tdls_action_frame(s |
| break; |
| case WLAN_EID_RSN: |
| memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos, |
| - sizeof(struct ieee_types_header) + pos[1]); |
| + sizeof(struct ieee_types_header) + |
| + min_t(u8, pos[1], IEEE_MAX_IE_SIZE - |
| + sizeof(struct ieee_types_header))); |
| break; |
| case WLAN_EID_QOS_CAPA: |
| sta_ptr->tdls_cap.qos_info = pos[2]; |
