mwifiex: fix potential buffer overflow in dt configuration

If cfgdata length exceeds the command buffer size we will end up getting buffer overflow problem. Fix it by checking the buffer size less the command header length. Reviewed-by: Paul Stewart <pstew@chromium.org> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>

mwifiex: fix potential buffer overflow in dt configuration
If cfgdata length exceeds the command buffer size we will end up getting buffer overflow problem. Fix it by checking the buffer size less the command header length. Reviewed-by: Paul Stewart <pstew@chromium.org> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>
63791ccd · Bing Zhao · John W. Linville · 1cbbcb08 · 63791ccd
Commit 63791ccd authored Jan 08, 2014 by Bing Zhao Committed by John W. Linville Jan 09, 2014
Show whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

drivers/net/wireless/mwifiex/sta_cmd.c drivers/net/wireless/mwifiex/sta_cmd.c +3 -2

No files found.
--- a/drivers/net/wireless/mwifiex/sta_cmd.c
+++ b/drivers/net/wireless/mwifiex/sta_cmd.c
@@ -1170,8 +1170,9 @@ int mwifiex_dnld_dt_cfgdata(struct mwifiex_private *priv,
 		    strncmp(prop->name, prefix, len))
 			continue;

-		/* property header is 6 bytes */
-		if (prop && prop->value && prop->length > 6) {
+		/* property header is 6 bytes, data must fit in cmd buffer */
+		if (prop && prop->value && prop->length > 6 &&
+		    prop->length <= MWIFIEX_SIZE_OF_CMD_BUFFER - S_DS_GEN) {
 			ret = mwifiex_send_cmd_sync(priv, HostCmd_CMD_CFG_DATA,
 						    HostCmd_ACT_GEN_SET, 0,
 						    prop);