From 8795ca61e4ff3db70f2d072a28aaefc29f1a2301 Mon Sep 17 00:00:00 2001 From: Avinash Patil Date: Mon, 22 Jul 2013 19:17:46 -0700 Subject: [PATCH] mwifiex: correct max IE length check for WPS IE This patch is bug fix for an invalid boundry check for WPS IE. We should check max IE length against defined macro; instead we were checking it against size of pointer. Fix it. Also move IE length check before allocation of memory. Signed-off-by: Avinash Patil Signed-off-by: Bing Zhao Signed-off-by: John W. Linville --- drivers/net/wireless/mwifiex/sta_ioctl.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c index 206c3e038072..c071ce91c8b2 100644 --- a/drivers/net/wireless/mwifiex/sta_ioctl.c +++ b/drivers/net/wireless/mwifiex/sta_ioctl.c @@ -797,15 +797,16 @@ static int mwifiex_set_wps_ie(struct mwifiex_private *priv, u8 *ie_data_ptr, u16 ie_len) { if (ie_len) { + if (ie_len > MWIFIEX_MAX_VSIE_LEN) { + dev_dbg(priv->adapter->dev, + "info: failed to copy WPS IE, too big\n"); + return -1; + } + priv->wps_ie = kzalloc(MWIFIEX_MAX_VSIE_LEN, GFP_KERNEL); if (!priv->wps_ie) return -ENOMEM; - if (ie_len > sizeof(priv->wps_ie)) { - dev_dbg(priv->adapter->dev, - "info: failed to copy WPS IE, too big\n"); - kfree(priv->wps_ie); - return -1; - } + memcpy(priv->wps_ie, ie_data_ptr, ie_len); priv->wps_ie_len = ie_len; dev_dbg(priv->adapter->dev, "cmd: Set wps_ie_len=%d IE=%#x\n",