Commit 5bd28bc2 authored by Jes Sorensen's avatar Jes Sorensen Committed by Greg Kroah-Hartman

staging: rtl8723au: Check kmalloc return value and fix size of memcpy()

Check kmalloc() return before dereferencing bssid in
rtw_check_bcn_info23a() and use the correct size to copy
rtw_basic_rate_ofdm in update_bmc_sta_support_rate23a()
Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: default avatarJes Sorensen <Jes.Sorensen@redhat.com>
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 7591ba8b
...@@ -4510,7 +4510,7 @@ u8 collect_bss_info23a(struct rtw_adapter *padapter, ...@@ -4510,7 +4510,7 @@ u8 collect_bss_info23a(struct rtw_adapter *padapter,
} }
ie_offset -= offsetof(struct ieee80211_mgmt, u); ie_offset -= offsetof(struct ieee80211_mgmt, u);
bssid->Length = sizeof(struct wlan_bssid_ex) - MAX_IE_SZ + length; bssid->Length = offsetof(struct wlan_bssid_ex, IEs) + length;
/* below is to copy the information element */ /* below is to copy the information element */
bssid->IELength = length; bssid->IELength = length;
......
...@@ -899,15 +899,17 @@ int rtw_check_bcn_info23a(struct rtw_adapter *Adapter, ...@@ -899,15 +899,17 @@ int rtw_check_bcn_info23a(struct rtw_adapter *Adapter,
} }
bssid = (struct wlan_bssid_ex *)kzalloc(sizeof(struct wlan_bssid_ex), bssid = (struct wlan_bssid_ex *)kzalloc(sizeof(struct wlan_bssid_ex),
GFP_ATOMIC); GFP_ATOMIC);
if (!bssid)
return _FAIL;
bssid->reserved = 1; bssid->reserved = 1;
bssid->Length = sizeof(struct wlan_bssid_ex) - MAX_IE_SZ + len; bssid->Length = offsetof(struct wlan_bssid_ex, IEs) + len;
/* below is to copy the information element */ /* below is to copy the information element */
bssid->IELength = len; bssid->IELength = len;
memcpy(bssid->IEs, &mgmt->u, bssid->IELength); memcpy(bssid->IEs, &mgmt->u, len);
/* check bw and channel offset */ /* check bw and channel offset */
/* parsing HT_CAP_IE */ /* parsing HT_CAP_IE */
...@@ -1589,9 +1591,11 @@ void update_bmc_sta_support_rate23a(struct rtw_adapter *padapter, u32 mac_id) ...@@ -1589,9 +1591,11 @@ void update_bmc_sta_support_rate23a(struct rtw_adapter *padapter, u32 mac_id)
if (pmlmeext->cur_wireless_mode & WIRELESS_11B) { if (pmlmeext->cur_wireless_mode & WIRELESS_11B) {
/* Only B, B/G, and B/G/N AP could use CCK rate */ /* Only B, B/G, and B/G/N AP could use CCK rate */
memcpy((pmlmeinfo->FW_sta_info[mac_id].SupportedRates), rtw_basic_rate_cck, 4); memcpy((pmlmeinfo->FW_sta_info[mac_id].SupportedRates),
rtw_basic_rate_cck, 4);
} else { } else {
memcpy((pmlmeinfo->FW_sta_info[mac_id].SupportedRates), rtw_basic_rate_ofdm, 4); memcpy((pmlmeinfo->FW_sta_info[mac_id].SupportedRates),
rtw_basic_rate_ofdm, 3);
} }
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment