summaryrefslogtreecommitdiff
path: root/drivers
diff options
context:
space:
mode:
authorZhang Xiaohui <ruc_zhangxiaohui@163.com>2020-12-06 11:48:01 +0300
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2021-01-09 15:35:51 +0300
commit6ceb5b8e16dac9a041271bc3985ff155bdbb30b4 (patch)
tree6585c30f4a34877f7352e8f9c766f65a58830bbe /drivers
parent99c6e0af79bfedacbbe583bf9c7adebe62fb59bd (diff)
downloadlinux-6ceb5b8e16dac9a041271bc3985ff155bdbb30b4.tar.xz
mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start
[ Upstream commit 5c455c5ab332773464d02ba17015acdca198f03d ] mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers')
-rw-r--r--drivers/net/wireless/marvell/mwifiex/join.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/drivers/net/wireless/marvell/mwifiex/join.c b/drivers/net/wireless/marvell/mwifiex/join.c
index b89596c18b41..313b5d9fd08e 100644
--- a/drivers/net/wireless/marvell/mwifiex/join.c
+++ b/drivers/net/wireless/marvell/mwifiex/join.c
@@ -877,6 +877,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv,
memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN);
+ if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN)
+ req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN;
memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len);
mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n",
generated by cgit v1.2.3 (git 2.39.0) at 2025-02-25 04:10:48 +0300