staging: rtl8723au: Check kmalloc return value and fix size of memcpy()
authorJes Sorensen <Jes.Sorensen@redhat.com>
Sat, 26 Apr 2014 16:54:49 +0000 (18:54 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 26 Apr 2014 17:16:11 +0000 (10:16 -0700)
Check kmalloc() return before dereferencing bssid in
rtw_check_bcn_info23a() and use the correct size to copy
rtw_basic_rate_ofdm in update_bmc_sta_support_rate23a()

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/staging/rtl8723au/core/rtw_mlme_ext.c
drivers/staging/rtl8723au/core/rtw_wlan_util.c

index 68991dc..3a729a0 100644 (file)
@@ -4510,7 +4510,7 @@ u8 collect_bss_info23a(struct rtw_adapter *padapter,
        }
        ie_offset -= offsetof(struct ieee80211_mgmt, u);
 
-       bssid->Length = sizeof(struct wlan_bssid_ex) - MAX_IE_SZ + length;
+       bssid->Length = offsetof(struct wlan_bssid_ex, IEs) + length;
 
        /* below is to copy the information element */
        bssid->IELength = length;
index 646e468..f2d7712 100644 (file)
@@ -899,15 +899,17 @@ int rtw_check_bcn_info23a(struct rtw_adapter *Adapter,
        }
 
        bssid = (struct wlan_bssid_ex *)kzalloc(sizeof(struct wlan_bssid_ex),
-               GFP_ATOMIC);
+                                               GFP_ATOMIC);
+       if (!bssid)
+               return _FAIL;
 
        bssid->reserved = 1;
 
-       bssid->Length = sizeof(struct wlan_bssid_ex) - MAX_IE_SZ + len;
+       bssid->Length = offsetof(struct wlan_bssid_ex, IEs) + len;
 
        /* below is to copy the information element */
        bssid->IELength = len;
-       memcpy(bssid->IEs, &mgmt->u, bssid->IELength);
+       memcpy(bssid->IEs, &mgmt->u, len);
 
        /* check bw and channel offset */
        /* parsing HT_CAP_IE */
@@ -1589,9 +1591,11 @@ void update_bmc_sta_support_rate23a(struct rtw_adapter *padapter, u32 mac_id)
 
        if (pmlmeext->cur_wireless_mode & WIRELESS_11B) {
                /*  Only B, B/G, and B/G/N AP could use CCK rate */
-               memcpy((pmlmeinfo->FW_sta_info[mac_id].SupportedRates), rtw_basic_rate_cck, 4);
+               memcpy((pmlmeinfo->FW_sta_info[mac_id].SupportedRates),
+                      rtw_basic_rate_cck, 4);
        } else {
-               memcpy((pmlmeinfo->FW_sta_info[mac_id].SupportedRates), rtw_basic_rate_ofdm, 4);
+               memcpy((pmlmeinfo->FW_sta_info[mac_id].SupportedRates),
+                      rtw_basic_rate_ofdm, 3);
        }
 }