From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Alexei Avshalom Lazar <ailizaro@codeaurora.org>,
Maya Erez <merez@codeaurora.org>,
Kalle Valo <kvalo@codeaurora.org>,
Sasha Levin <sashal@kernel.org>,
linux-wireless@vger.kernel.org, wil6210@qti.qualcomm.com,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 5.0 063/262] wil6210: check null pointer in _wil_cfg80211_merge_extra_ies
Date: Wed, 27 Mar 2019 13:58:38 -0400 [thread overview]
Message-ID: <20190327180158.10245-63-sashal@kernel.org> (raw)
In-Reply-To: <20190327180158.10245-1-sashal@kernel.org>
From: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
[ Upstream commit de77a53c2d1e8fb3621e63e8e1f0f0c9a1a99ff7 ]
ies1 or ies2 might be null when code inside
_wil_cfg80211_merge_extra_ies access them.
Add explicit check for null and make sure ies1/ies2 are not
accessed in such a case.
spos might be null and be accessed inside
_wil_cfg80211_merge_extra_ies.
Add explicit check for null in the while condition statement
and make sure spos is not accessed in such a case.
Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/wil6210/cfg80211.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index 9b2f9f543952..5a44f9d0ff02 100644
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -1580,6 +1580,12 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len,
u8 *buf, *dpos;
const u8 *spos;
+ if (!ies1)
+ ies1_len = 0;
+
+ if (!ies2)
+ ies2_len = 0;
+
if (ies1_len == 0 && ies2_len == 0) {
*merged_ies = NULL;
*merged_len = 0;
@@ -1589,17 +1595,19 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len,
buf = kmalloc(ies1_len + ies2_len, GFP_KERNEL);
if (!buf)
return -ENOMEM;
- memcpy(buf, ies1, ies1_len);
+ if (ies1)
+ memcpy(buf, ies1, ies1_len);
dpos = buf + ies1_len;
spos = ies2;
- while (spos + 1 < ies2 + ies2_len) {
+ while (spos && (spos + 1 < ies2 + ies2_len)) {
/* IE tag at offset 0, length at offset 1 */
u16 ielen = 2 + spos[1];
if (spos + ielen > ies2 + ies2_len)
break;
if (spos[0] == WLAN_EID_VENDOR_SPECIFIC &&
- !_wil_cfg80211_find_ie(ies1, ies1_len, spos, ielen)) {
+ (!ies1 || !_wil_cfg80211_find_ie(ies1, ies1_len,
+ spos, ielen))) {
memcpy(dpos, spos, ielen);
dpos += ielen;
}
--
2.19.1
next prev parent reply other threads:[~2019-03-27 19:29 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20190327180158.10245-1-sashal@kernel.org>
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 012/262] net/mlx5e: Fix access to non-existing receive queue Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 013/262] net/mlx5: Avoid panic when setting vport rate Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 014/262] net/mlx5: Avoid panic when setting vport mac, getting vport config Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 016/262] xsk: fix to reject invalid flags in xsk_bind Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 020/262] netfilter: nf_tables: fix set double-free in abort path Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 022/262] net: stmmac: Avoid sometimes uninitialized Clang warnings Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 023/262] enic: fix build warning without CONFIG_CPUMASK_OFFSTACK Sasha Levin
2019-03-27 17:57 ` [PATCH AUTOSEL 5.0 024/262] libbpf: force fixdep compilation at the start of the build Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 053/262] netfilter: nf_tables: check the result of dereferencing base_chain->stats Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 055/262] netfilter: conntrack: tcp: only close if RST matches exact sequence Sasha Levin
2019-03-27 17:58 ` Sasha Levin [this message]
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 064/262] mt76: fix a leaked reference by adding a missing of_node_put Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 065/262] ath10k: Fix the wrong updation of BW in tx_stats debugfs entry Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 069/262] tools/bpf: selftests: add map lookup to test_map_in_map bpf prog Sasha Levin
2019-03-27 17:58 ` [PATCH AUTOSEL 5.0 079/262] ath10k: don't report unset rssi values to mac80211 Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 087/262] net: dsa: mv88e6xxx: Default CMODE to 1000BaseX only on 6390X Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 088/262] ice: fix ice_remove_rule_internal vsi_list handling Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 093/262] net: dsa: mv88e6xxx: Add lockdep classes to fix false positive splat Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 094/262] net: hns3: fix setting of the hns reset_type for rdma hw errors Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 095/262] veth: Fix -Wformat-truncation Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 096/262] e1000e: Fix -Wformat-truncation warnings Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 097/262] mlxsw: spectrum: Avoid " Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 116/262] mwifiex: don't advertise IBSS features without FW support Sasha Levin
2019-03-27 18:08 ` Brian Norris
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 127/262] mt76: usb: do not run mt76u_queues_deinit twice Sasha Levin
2019-03-27 17:59 ` [PATCH AUTOSEL 5.0 140/262] tools build: Add test-reallocarray.c to test-all.c to fix the build Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 145/262] iwlwifi: pcie: fix emergency path Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 149/262] selftests: skip seccomp get_metadata test if not real root Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 153/262] netfilter: conntrack: fix cloned unconfirmed skb->_nfct race in __nf_conntrack_confirm Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 157/262] ath10k: fix shadow register implementation for WCN3990 Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 165/262] net: marvell: mvpp2: fix stuck in-band SGMII negotiation Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 167/262] net: phy: consider latched link-down status in polling mode Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 172/262] bpf: test_maps: fix possible out of bound access warning Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 177/262] e1000e: fix cyclic resets at link up with active tx Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 178/262] e1000e: Exclude device from suspend direct complete optimization Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 182/262] iwlwifi: mvm: fix RFH config command with >=10 CPUs Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 192/262] nfp: bpf: correct the behavior for shifts by zero Sasha Levin
2019-03-27 18:14 ` [oss-drivers] " Jakub Kicinski
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 195/262] mt7601u: bump supported EEPROM version Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 200/262] bpf: fix missing prototype warnings Sasha Levin
2019-03-27 18:00 ` [PATCH AUTOSEL 5.0 201/262] selftests/bpf: skip verifier tests for unsupported program types Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 212/262] perf trace: Fixup etcsnoop example Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 218/262] selftests/bpf: suppress readelf stderr when probing for BTF support Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 221/262] Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 233/262] netfilter: physdev: relax br_netfilter dependency Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 234/262] nfp: flower: tidy tunnel related private data Sasha Levin
2019-03-27 18:15 ` [oss-drivers] " Jakub Kicinski
2019-04-03 16:20 ` Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 245/262] brcmfmac: Use firmware_request_nowarn for the clm_blob Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 246/262] wlcore: Fix memory leak in case wl12xx_fetch_firmware failure Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 258/262] net: stmmac: Avoid one more sometimes uninitialized Clang warning Sasha Levin
2019-03-27 18:01 ` [PATCH AUTOSEL 5.0 259/262] appletalk: Fix compile regression Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190327180158.10245-63-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ailizaro@codeaurora.org \
--cc=kvalo@codeaurora.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-wireless@vger.kernel.org \
--cc=merez@codeaurora.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=wil6210@qti.qualcomm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).