Commit 8795ca61 authored by Avinash Patil's avatar Avinash Patil Committed by John W. Linville

mwifiex: correct max IE length check for WPS IE

This patch is bug fix for an invalid boundry check for WPS IE.
We should check max IE length against defined macro; instead we were
checking it against size of pointer. Fix it.
Also move IE length check before allocation of memory.
Signed-off-by: default avatarAvinash Patil <patila@marvell.com>
Signed-off-by: default avatarBing Zhao <bzhao@marvell.com>
Signed-off-by: default avatarJohn W. Linville <linville@tuxdriver.com>
parent 5e4c0798
......@@ -797,15 +797,16 @@ static int mwifiex_set_wps_ie(struct mwifiex_private *priv,
u8 *ie_data_ptr, u16 ie_len)
{
if (ie_len) {
priv->wps_ie = kzalloc(MWIFIEX_MAX_VSIE_LEN, GFP_KERNEL);
if (!priv->wps_ie)
return -ENOMEM;
if (ie_len > sizeof(priv->wps_ie)) {
if (ie_len > MWIFIEX_MAX_VSIE_LEN) {
dev_dbg(priv->adapter->dev,
"info: failed to copy WPS IE, too big\n");
kfree(priv->wps_ie);
return -1;
}
priv->wps_ie = kzalloc(MWIFIEX_MAX_VSIE_LEN, GFP_KERNEL);
if (!priv->wps_ie)
return -ENOMEM;
memcpy(priv->wps_ie, ie_data_ptr, ie_len);
priv->wps_ie_len = ie_len;
dev_dbg(priv->adapter->dev, "cmd: Set wps_ie_len=%d IE=%#x\n",
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment