wil6210: check null pointer in _wil_cfg80211_merge_extra_ies

[ Upstream commit de77a53c2d1e8fb3621e63e8e1f0f0c9a1a99ff7 ]

ies1 or ies2 might be null when code inside
_wil_cfg80211_merge_extra_ies access them.
Add explicit check for null and make sure ies1/ies2 are not
accessed in such a case.

spos might be null and be accessed inside
_wil_cfg80211_merge_extra_ies.
Add explicit check for null in the while condition statement
and make sure spos is not accessed in such a case.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index 85d5c04618ebcafb87f8a089f31dac3b393f0dc5..c374ed311520e53d44a1140d4bee246c3077f7b8 100644 (file)
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -1224,6 +1224,12 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len,
        u8 *buf, *dpos;
        const u8 *spos;
 
+       if (!ies1)
+               ies1_len = 0;
+
+       if (!ies2)
+               ies2_len = 0;
+
        if (ies1_len == 0 && ies2_len == 0) {
                *merged_ies = NULL;
                *merged_len = 0;
@@ -1233,17 +1239,19 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len,
        buf = kmalloc(ies1_len + ies2_len, GFP_KERNEL);
        if (!buf)
                return -ENOMEM;
-       memcpy(buf, ies1, ies1_len);
+       if (ies1)
+               memcpy(buf, ies1, ies1_len);
        dpos = buf + ies1_len;
        spos = ies2;
-       while (spos + 1 < ies2 + ies2_len) {
+       while (spos && (spos + 1 < ies2 + ies2_len)) {
                /* IE tag at offset 0, length at offset 1 */
                u16 ielen = 2 + spos[1];
 
                if (spos + ielen > ies2 + ies2_len)
                        break;
                if (spos[0] == WLAN_EID_VENDOR_SPECIFIC &&
-                   !_wil_cfg80211_find_ie(ies1, ies1_len, spos, ielen)) {
+                   (!ies1 || !_wil_cfg80211_find_ie(ies1, ies1_len,
+                                                    spos, ielen))) {
                        memcpy(dpos, spos, ielen);
                        dpos += ielen;
                }