mwifiex: fix probable memory corruption while processing TDLS frame

Size of RSN IE buffer in driver is 254 while maximum size of received buffer to be copied to RSN IE buffer can be 255. Add boundary check to copy maximum of 254 bytes into RSN IE buffer. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Avinash Patil <patila@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>

mwifiex: fix probable memory corruption while processing TDLS frame
Size of RSN IE buffer in driver is 254 while maximum size of received buffer to be copied to RSN IE buffer can be 255. Add boundary check to copy maximum of 254 bytes into RSN IE buffer. Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Signed-off-by: Avinash Patil <patila@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
3c99832d · Avinash Patil · John W. Linville · 4721c63b · 3c99832d
Commit 3c99832d authored Sep 12, 2014 by Avinash Patil Committed by John W. Linville Sep 15, 2014
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 1 deletion

drivers/net/wireless/mwifiex/tdls.c drivers/net/wireless/mwifiex/tdls.c +3 -1

No files found.
--- a/drivers/net/wireless/mwifiex/tdls.c
+++ b/drivers/net/wireless/mwifiex/tdls.c
@@ -871,7 +871,9 @@ void mwifiex_process_tdls_action_frame(struct mwifiex_private *priv,
 			break;
 		case WLAN_EID_RSN:
 			memcpy((u8 *)&sta_ptr->tdls_cap.rsn_ie, pos,
-			       sizeof(struct ieee_types_header) + pos[1]);
+			       sizeof(struct ieee_types_header) +
+			       min_t(u8, pos[1], IEEE_MAX_IE_SIZE -
+				     sizeof(struct ieee_types_header)));
 			break;
 		case WLAN_EID_QOS_CAPA:
 			sta_ptr->tdls_cap.qos_info = pos[2];