rtlwifi: Fix potential overflow on P2P code

Nicolas Waisman noticed that even though noa_len is checked for a compatible length it's still possible to overrun the buffers of p2pinfo since there's no check on the upper bound of noa_num. Bound noa_num against P2P_MAX_NOA_NUM. Reported-by: N Nicolas Waisman <nico@semmle.com> Signed-off-by: N Laura Abbott <labbott@redhat.com> Acked-by: N Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: N Kalle Valo <kvalo@codeaurora.org>

rtlwifi: Fix potential overflow on P2P code
Nicolas Waisman noticed that even though noa_len is checked for a compatible length it's still possible to overrun the buffers of p2pinfo since there's no check on the upper bound of noa_num. Bound noa_num against P2P_MAX_NOA_NUM. Reported-by: N Nicolas Waisman <nico@semmle.com> Signed-off-by: N Laura Abbott <labbott@redhat.com> Acked-by: N Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: N Kalle Valo <kvalo@codeaurora.org>
8c55dedb · Laura Abbott · Kalle Valo · 7cded565 · 8c55dedb
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

drivers/net/wireless/realtek/rtlwifi/ps.c drivers/net/wireless/realtek/rtlwifi/ps.c +6 -0

未找到文件。
--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
+++ b/drivers/net/wireless/realtek/rtlwifi/ps.c
@@ -754,6 +754,9 @@ static void rtl_p2p_noa_ie(struct ieee80211_hw *hw, void *data,
 				return;
 			} else {
 				noa_num = (noa_len - 2) / 13;
+				if (noa_num > P2P_MAX_NOA_NUM)
+					noa_num = P2P_MAX_NOA_NUM;
 			}
 			noa_index = ie[3];
 			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
@@ -848,6 +851,9 @@ static void rtl_p2p_action_ie(struct ieee80211_hw *hw, void *data,
 				return;
 			} else {
 				noa_num = (noa_len - 2) / 13;
+				if (noa_num > P2P_MAX_NOA_NUM)
+					noa_num = P2P_MAX_NOA_NUM;
 			}
 			noa_index = ie[3];
 			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==