Commit d59dc92f authored by Dan Carpenter's avatar Dan Carpenter Committed by Greg Kroah-Hartman

staging: wilc1000: potential corruption in wilc_parse_join_bss_param()

The "rates_len" value needs to be capped so that the memcpy() doesn't
copy beyond the end of the array.

Fixes: c5c77ba1 ("staging: wilc1000: Add SDIO/SPI 802.11 driver")
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: default avatarAdham Abozaeid <adham.abozaeid@microchip.com>
Link: https://lore.kernel.org/r/20191017091832.GB31278@mwandaSigned-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent bfc0a093
...@@ -479,6 +479,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, ...@@ -479,6 +479,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies->data, ies->len); rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies->data, ies->len);
if (rates_ie) { if (rates_ie) {
rates_len = rates_ie[1]; rates_len = rates_ie[1];
if (rates_len > WILC_MAX_RATES_SUPPORTED)
rates_len = WILC_MAX_RATES_SUPPORTED;
param->supp_rates[0] = rates_len; param->supp_rates[0] = rates_len;
memcpy(&param->supp_rates[1], rates_ie + 2, rates_len); memcpy(&param->supp_rates[1], rates_ie + 2, rates_len);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment