mwifiex: fix potential buffer overflow in dt configuration

If cfgdata length exceeds the command buffer size we will end up getting buffer overflow problem. Fix it by checking the buffer size less the command header length. Reviewed-by: Paul Stewart <[email protected]> Signed-off-by: Bing Zhao <[email protected]> Signed-off-by: John W. Linville <[email protected]>
rtvt123 · Jan 9, 2014 · 63791cc · 63791cc
1 parent 1cbbcb0
commit 63791cc
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/drivers/net/wireless/mwifiex/sta_cmd.c b/drivers/net/wireless/mwifiex/sta_cmd.c
@@ -1170,8 +1170,9 @@ int mwifiex_dnld_dt_cfgdata(struct mwifiex_private *priv,
 		    strncmp(prop->name, prefix, len))
 			continue;
 
-		/* property header is 6 bytes */
-		if (prop && prop->value && prop->length > 6) {
+		/* property header is 6 bytes, data must fit in cmd buffer */
+		if (prop && prop->value && prop->length > 6 &&
+		    prop->length <= MWIFIEX_SIZE_OF_CMD_BUFFER - S_DS_GEN) {
 			ret = mwifiex_send_cmd_sync(priv, HostCmd_CMD_CFG_DATA,
 						    HostCmd_ACT_GEN_SET, 0,
 						    prop);