Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate()

author Dan Carpenter <dan.carpenter@oracle.com>

Wed, 3 Jun 2020 10:19:58 +0000 (13:19 +0300)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Tue, 16 Jun 2020 19:25:38 +0000 (21:25 +0200)
author Dan Carpenter <dan.carpenter@oracle.com>
Wed, 3 Jun 2020 10:19:58 +0000 (13:19 +0300)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Tue, 16 Jun 2020 19:25:38 +0000 (21:25 +0200)
diff --git a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c

index 69bcd172b2987c2e19ddfc48e816c92fea19803d..a3ea7ce3e12e95a526c1736192fb37c46ebb2a94 100644 (file)
--- a/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
+++ b/drivers/staging/rtl8723bs/core/rtw_wlan_util.c
@@ -1824,12 +1824,14 @@ int update_sta_support_rate(struct adapter *padapter, u8 *pvar_ie, uint var_ie_l
         pIE = (struct ndis_80211_var_ie *)rtw_get_ie(pvar_ie, _SUPPORTEDRATES_IE_, &ie_len, var_ie_len);
         if (!pIE)
                 return _FAIL;
+       if (ie_len > sizeof(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates))
+               return _FAIL;
  
         memcpy(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates, pIE->data, ie_len);
         supportRateNum = ie_len;
  
         pIE = (struct ndis_80211_var_ie *)rtw_get_ie(pvar_ie, _EXT_SUPPORTEDRATES_IE_, &ie_len, var_ie_len);
-       if (pIE)
+       if (pIE && (ie_len <= sizeof(pmlmeinfo->FW_sta_info[cam_idx].SupportedRates) - supportRateNum))
                 memcpy((pmlmeinfo->FW_sta_info[cam_idx].SupportedRates + supportRateNum), pIE->data, ie_len);
  
         return _SUCCESS;
author	Dan Carpenter <dan.carpenter@oracle.com>
	Wed, 3 Jun 2020 10:19:58 +0000 (13:19 +0300)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Tue, 16 Jun 2020 19:25:38 +0000 (21:25 +0200)