mwifiex: fix potential buffer overflow in dt configuration
authorBing Zhao <bzhao@marvell.com>
Wed, 8 Jan 2014 23:45:56 +0000 (15:45 -0800)
committerJohn W. Linville <linville@tuxdriver.com>
Thu, 9 Jan 2014 15:56:40 +0000 (10:56 -0500)
If cfgdata length exceeds the command buffer size we will end up
getting buffer overflow problem. Fix it by checking the buffer
size less the command header length.

Reviewed-by: Paul Stewart <pstew@chromium.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
drivers/net/wireless/mwifiex/sta_cmd.c

index 9c2404c..9208a88 100644 (file)
@@ -1170,8 +1170,9 @@ int mwifiex_dnld_dt_cfgdata(struct mwifiex_private *priv,
                    strncmp(prop->name, prefix, len))
                        continue;
 
-               /* property header is 6 bytes */
-               if (prop && prop->value && prop->length > 6) {
+               /* property header is 6 bytes, data must fit in cmd buffer */
+               if (prop && prop->value && prop->length > 6 &&
+                   prop->length <= MWIFIEX_SIZE_OF_CMD_BUFFER - S_DS_GEN) {
                        ret = mwifiex_send_cmd_sync(priv, HostCmd_CMD_CFG_DATA,
                                                    HostCmd_ACT_GEN_SET, 0,
                                                    prop);