From f009a48f80da5bcc9572bb381f214d3c77fc6c93 Mon Sep 17 00:00:00 2001 From: Anand Kumar Date: Tue, 21 Jun 2016 17:36:05 +0530 Subject: wcnss: Avoid user buffer overloading for write cal data compare size of allocated cal data buffer from heap and count bytes provided to write by user to avoid heap overflow for write cal data. Change-Id: Id70c3230f761385489e5e94c613f4519239dfb1f CRs-Fixed: 1032174 Signed-off-by: Anand Kumar --- drivers/net/wireless/wcnss/wcnss_wlan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/wcnss/wcnss_wlan.c b/drivers/net/wireless/wcnss/wcnss_wlan.c index 86f3a4800d1d..3f9eeabc5464 100644 --- a/drivers/net/wireless/wcnss/wcnss_wlan.c +++ b/drivers/net/wireless/wcnss/wcnss_wlan.c @@ -3339,7 +3339,7 @@ static ssize_t wcnss_wlan_write(struct file *fp, const char __user return -EFAULT; if ((UINT32_MAX - count < penv->user_cal_rcvd) || - MAX_CALIBRATED_DATA_SIZE < count + penv->user_cal_rcvd) { + (penv->user_cal_exp_size < count + penv->user_cal_rcvd)) { pr_err(DEVICE " invalid size to write %zu\n", count + penv->user_cal_rcvd); rc = -ENOMEM; -- cgit v1.2.3