staging: wilc1000: fix illegal memory access in wilc_parse_join_bss_param()

Do not copy the extended supported rates in 'param->supp_rates' if the
array is already full with basic rates values. The array size check
helped to avoid possible illegal memory access [1] while copying to
'param->supp_rates' array.

1. https://marc.info/?l=linux-next&m=157301720517456&w=2

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1487400 ("Memory - illegal accesses")
Fixes: 4e0b0f42c9 ("staging: wilc1000: use struct to pack join parameters for FW")
Cc: stable@vger.kernel.org
Signed-off-by: Ajay Singh <ajay.kathat@microchip.com>
Link: https://lore.kernel.org/r/20191106062127.3165-1-ajay.kathat@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Ajay Singh 2019-11-07 15:58:54 +00:00 committed by Greg Kroah-Hartman
parent a46e810975
commit c7e621bb98

View File

@ -485,16 +485,21 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss,
memcpy(&param->supp_rates[1], rates_ie + 2, rates_len);
}
supp_rates_ie = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES, ies->data,
ies->len);
if (supp_rates_ie) {
if (supp_rates_ie[1] > (WILC_MAX_RATES_SUPPORTED - rates_len))
param->supp_rates[0] = WILC_MAX_RATES_SUPPORTED;
else
param->supp_rates[0] += supp_rates_ie[1];
if (rates_len < WILC_MAX_RATES_SUPPORTED) {
supp_rates_ie = cfg80211_find_ie(WLAN_EID_EXT_SUPP_RATES,
ies->data, ies->len);
if (supp_rates_ie) {
u8 ext_rates = supp_rates_ie[1];
memcpy(&param->supp_rates[rates_len + 1], supp_rates_ie + 2,
(param->supp_rates[0] - rates_len));
if (ext_rates > (WILC_MAX_RATES_SUPPORTED - rates_len))
param->supp_rates[0] = WILC_MAX_RATES_SUPPORTED;
else
param->supp_rates[0] += ext_rates;
memcpy(&param->supp_rates[rates_len + 1],
supp_rates_ie + 2,
(param->supp_rates[0] - rates_len));
}
}
ht_ie = cfg80211_find_ie(WLAN_EID_HT_CAPABILITY, ies->data, ies->len);