[PATCH 3.16 005/245] mwifiex: fix probable memory corruption while processing TDLS frame
From: Ben Hutchings
Date: Thu Apr 23 2020 - 19:25:49 EST
3.16.83-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Avinash Patil <patila@xxxxxxxxxxx>
commit 3c99832d74777c9ec5545a92450fac5d37b0d0e1 upstream.
Size of RSN IE buffer in driver is 254 while maximum size of received buffer
to be copied to RSN IE buffer can be 255. Add boundary check to copy maximum
of 254 bytes into RSN IE buffer.
Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
Signed-off-by: Avinash Patil <patila@xxxxxxxxxxx>
Signed-off-by: John W. Linville <linville@xxxxxxxxxxxxx>
Signed-off-by: Ben Hutchings <ben@xxxxxxxxxxxxxxx>
---
drivers/net/wireless/mwifiex/tdls.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/mwifiex/tdls.c
+++ b/drivers/net/wireless/mwifiex/tdls.c
@@ -877,7 +877,9 @@ void mwifiex_process_tdls_action_frame(s
break;
case WLAN_EID_RSN:
memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
- sizeof(struct ieee_types_header) + pos[1]);
+ sizeof(struct ieee_types_header) +
+ min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
+ sizeof(struct ieee_types_header)));
break;
case WLAN_EID_QOS_CAPA:
sta_ptr->tdls_cap.qos_info = pos[2];