Commit 51a58709 authored by Lior David's avatar Lior David Committed by Kalle Valo
Browse files

wil6210: missing length check in wil_cfg80211_mgmt_tx 



Add a length check in wil_cfg80211_mgmt_tx to detect unsigned integer
overflow.

Signed-off-by: default avatarLior David <qca_liord@qca.qualcomm.com>
Signed-off-by: default avatarMaya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: default avatarKalle Valo <kvalo@qca.qualcomm.com>
parent b5a8ffca

drivers/net/wireless/ath/wil6210/cfg80211.c

+7 −3
Original line number Diff line number Diff line
@@ -901,7 +901,7 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, 
			 u64 *cookie)

{

	const u8 *buf = params->buf;

	size_t len = params->len;

	size_t len = params->len, total;

	struct wil6210_priv *wil = wiphy_to_wil(wiphy);

	int rc;

	bool tx_status = false;
@@ -926,7 +926,11 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, 
	if (len < sizeof(struct ieee80211_hdr_3addr))

		return -EINVAL;



	cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);

	total = sizeof(*cmd) + len;

	if (total < len)

		return -EINVAL;



	cmd = kmalloc(total, GFP_KERNEL);

	if (!cmd) {

		rc = -ENOMEM;

		goto out;
@@ -936,7 +940,7 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev, 
	cmd->len = cpu_to_le16(len);

	memcpy(cmd->payload, buf, len);



	rc = wmi_call(wil, WMI_SW_TX_REQ_CMDID, cmd, sizeof(*cmd) + len,

	rc = wmi_call(wil, WMI_SW_TX_REQ_CMDID, cmd, total,

		      WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000);

	if (rc == 0)

		tx_status = !evt.evt.status;

CRA Git | Maintained and supported by SUSTech CRA and CCSE