wil6210: missing length check in wmi_set_ie

Add a length check in wmi_set_ie to detect unsigned integer overflow. Change-Id: Id1ec6a6218f3fe6e00cc3f9a8e674f8f843273f2 Signed-off-by: Lior David <liord@codeaurora.org>
author: Lior David <liord@codeaurora.org> 2017-10-17 14:18:17 +0300
committer: Gerrit - the friendly Code Review server <code-review@localhost> 2017-11-03 09:06:54 -0700
commit: 6e5a9b32503d37a202fccc5d24b189ae6107a256 (patch)
tree: ae528c958d311d7bab6a435fe79946a95389aeed /drivers/net/wireless/ath/wil6210/wmi.c
parent: 5c9c0841e591001071a138644f6698de9d077210 (diff)
1 files changed, 7 insertions, 1 deletions
diff --git a/drivers/net/wireless/ath/wil6210/wmi.c b/drivers/net/wireless/ath/wil6210/wmi.c
index 6fa93854806b..160eb17fc0ed 100644
--- a/drivers/net/wireless/ath/wil6210/wmi.c
+++ b/drivers/net/wireless/ath/wil6210/wmi.c
@@ -1420,8 +1420,14 @@ int wmi_set_ie(struct wil6210_priv *wil, u8 type, u16 ie_len, const void *ie)
 	};
 	int rc;
 	u16 len = sizeof(struct wmi_set_appie_cmd) + ie_len;
-	struct wmi_set_appie_cmd *cmd = kzalloc(len, GFP_KERNEL);
+	struct wmi_set_appie_cmd *cmd;
 
+	if (len < ie_len) {
+		rc = -EINVAL;
+		goto out;
+	}
+
+	cmd = kzalloc(len, GFP_KERNEL);
 	if (!cmd) {
 		rc = -ENOMEM;
 		goto out;
author	Lior David <liord@codeaurora.org>	2017-10-17 14:18:17 +0300
committer	Gerrit - the friendly Code Review server <code-review@localhost>	2017-11-03 09:06:54 -0700
commit	6e5a9b32503d37a202fccc5d24b189ae6107a256 (patch)
tree	ae528c958d311d7bab6a435fe79946a95389aeed /drivers/net/wireless/ath/wil6210/wmi.c
parent	5c9c0841e591001071a138644f6698de9d077210 (diff)