staging: wilc1000: potential corruption in wilc_parse_join_bss_param()

The "rates_len" value needs to be capped so that the memcpy() doesn't
copy beyond the end of the array.

Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Adham Abozaeid <adham.abozaeid@microchip.com>
Link: https://lore.kernel.org/r/20191017091832.GB31278@mwanda
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/drivers/staging/wilc1000/wilc_hif.c b/drivers/staging/wilc1000/wilc_hif.c
index 0ac2b6ac50b0478a6221264d5c5610abda02addd..e0a95c5cc0d59dd496ecea9c5e6ae5007df6d5c0 100644 (file)
--- a/drivers/staging/wilc1000/wilc_hif.c
+++ b/drivers/staging/wilc1000/wilc_hif.c
@@ -479,6 +479,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
        rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies->data, ies->len);
        if (rates_ie) {
                rates_len = rates_ie[1];
+               if (rates_len > WILC_MAX_RATES_SUPPORTED)
+                       rates_len = WILC_MAX_RATES_SUPPORTED;
                param->supp_rates[0] = rates_len;
                memcpy(&param->supp_rates[1], rates_ie + 2, rates_len);
        }