Skip to content

Commit 5c455c5

Browse files
Zhang XiaohuiKalle Valo
Zhang Xiaohui
authored and
Kalle Valo
committed
mwifiex: Fix possible buffer overflows in mwifiex_cmd_802_11_ad_hoc_start
mwifiex_cmd_802_11_ad_hoc_start() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@163.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20201206084801.26479-1-ruc_zhangxiaohui@163.com
1 parent 871a825 commit 5c455c5

File tree

1 file changed

+2
-0
lines changed
  • drivers/net/wireless/marvell/mwifiex

1 file changed

+2
-0
lines changed

Diff for: drivers/net/wireless/marvell/mwifiex/join.c

+2
Original file line numberDiff line numberDiff line change
@@ -877,6 +877,8 @@ mwifiex_cmd_802_11_ad_hoc_start(struct mwifiex_private *priv,
877877

878878
memset(adhoc_start->ssid, 0, IEEE80211_MAX_SSID_LEN);
879879

880+
if (req_ssid->ssid_len > IEEE80211_MAX_SSID_LEN)
881+
req_ssid->ssid_len = IEEE80211_MAX_SSID_LEN;
880882
memcpy(adhoc_start->ssid, req_ssid->ssid, req_ssid->ssid_len);
881883

882884
mwifiex_dbg(adapter, INFO, "info: ADHOC_S_CMD: SSID = %s\n",

0 commit comments

Comments
 (0)