| From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001 |
| From: Denis Efremov <efremov@linux.com> |
| Date: Mon, 30 Sep 2019 23:31:47 +0300 |
| Subject: ar5523: check NULL before memcpy() in ar5523_cmd() |
| |
| From: Denis Efremov <efremov@linux.com> |
| |
| commit 315cee426f87658a6799815845788fde965ddaad upstream. |
| |
| memcpy() call with "idata == NULL && ilen == 0" results in undefined |
| behavior in ar5523_cmd(). For example, NULL is passed in callchain |
| "ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch |
| adds ilen check before memcpy() call in ar5523_cmd() to prevent an |
| undefined behavior. |
| |
| Cc: Pontus Fuchs <pontus.fuchs@gmail.com> |
| Cc: Kalle Valo <kvalo@codeaurora.org> |
| Cc: "David S. Miller" <davem@davemloft.net> |
| Cc: David Laight <David.Laight@ACULAB.COM> |
| Cc: stable@vger.kernel.org |
| Signed-off-by: Denis Efremov <efremov@linux.com> |
| Signed-off-by: Kalle Valo <kvalo@codeaurora.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++- |
| 1 file changed, 2 insertions(+), 1 deletion(-) |
| |
| --- a/drivers/net/wireless/ath/ar5523/ar5523.c |
| +++ b/drivers/net/wireless/ath/ar5523/ar5523.c |
| @@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar, |
| |
| if (flags & AR5523_CMD_FLAG_MAGIC) |
| hdr->magic = cpu_to_be32(1 << 24); |
| - memcpy(hdr + 1, idata, ilen); |
| + if (ilen) |
| + memcpy(hdr + 1, idata, ilen); |
| |
| cmd->odata = odata; |
| cmd->olen = olen; |