diff options
| author | Laura Abbott <labbott@redhat.com> | 2019-10-18 07:43:21 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-11-06 13:06:21 +0100 |
| commit | 64efcbc7a5a3c7a14e42ccf7b8a7e7667d672a33 (patch) | |
| tree | 76929538c009daf11d6567cf2257b389e6247bfb | |
| parent | a8166916152825d84bff2d94d6c7bce2d703b9df (diff) | |
| download | linux-stable-64efcbc7a5a3c7a14e42ccf7b8a7e7667d672a33.tar.gz linux-stable-64efcbc7a5a3c7a14e42ccf7b8a7e7667d672a33.tar.bz2 linux-stable-64efcbc7a5a3c7a14e42ccf7b8a7e7667d672a33.zip | |
rtlwifi: Fix potential overflow on P2P code
commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream.
Nicolas Waisman noticed that even though noa_len is checked for
a compatible length it's still possible to overrun the buffers
of p2pinfo since there's no check on the upper bound of noa_num.
Bound noa_num against P2P_MAX_NOA_NUM.
Reported-by: Nicolas Waisman <nico@semmle.com>
Signed-off-by: Laura Abbott <labbott@redhat.com>
Acked-by: Ping-Ke Shih <pkshih@realtek.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| -rw-r--r-- | drivers/net/wireless/realtek/rtlwifi/ps.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c index 479a4cfc245d..5f998ea2d5a6 100644 --- a/drivers/net/wireless/realtek/rtlwifi/ps.c +++ b/drivers/net/wireless/realtek/rtlwifi/ps.c @@ -775,6 +775,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data, return; } else { noa_num = (noa_len - 2) / 13; + if (noa_num > P2P_MAX_NOA_NUM) + noa_num = P2P_MAX_NOA_NUM; + } noa_index = ie[3]; if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == @@ -869,6 +872,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data, return; } else { noa_num = (noa_len - 2) / 13; + if (noa_num > P2P_MAX_NOA_NUM) + noa_num = P2P_MAX_NOA_NUM; + } noa_index = ie[3]; if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode == |