3 files changed, 5 insertions, 1 deletions

diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 0a13d55cb4d3..e4b9dd99b82d 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -7687,6 +7687,9 @@ static int nl80211_crypto_settings(struct cfg80211_registered_device *rdev,
 		if (settings->n_ciphers_pairwise > cipher_limit)
 			return -EINVAL;
 
+		if (len > sizeof(u32) * NL80211_MAX_NR_CIPHER_SUITES)
+			return -EINVAL;
+
 		memcpy(settings->ciphers_pairwise, data, len);
 
 		for (i = 0; i < settings->n_ciphers_pairwise; i++)
diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index 85c12c7d0ed1..6ccaaa3365b9 100644
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -498,7 +498,7 @@ static int cfg80211_sme_get_conn_ies(struct wireless_dev *wdev,
 	if (!buf)
 		return -ENOMEM;
 
-	if (ies_len) {
+	if (ies_len && ies) {
 		static const u8 before_extcapa[] = {
 			/* not listing IEs expected to be created by driver */
 			WLAN_EID_RSN,
diff --git a/net/wireless/util.c b/net/wireless/util.c
index afdbc1200a1b..e50092658fcc 100644
--- a/net/wireless/util.c
+++ b/net/wireless/util.c
@@ -591,6 +591,7 @@ int ieee80211_data_from_8023(struct sk_buff *skb, const u8 *addr,
 	hdr.frame_control = fc;
 	hdr.duration_id = 0;
 	hdr.seq_ctrl = 0;
+	eth_zero_addr(hdr.addr4);
 
 	skip_header_bytes = ETH_HLEN;
 	if (ethertype == ETH_P_AARP || ethertype == ETH_P_IPX) {