queue-4.19/wil6210-check-null-pointer-in-_wil_cfg80211_merge_ex.patch

   1 From 077ecd4bad3d93263c191102e7ab799d84cd9b7d Mon Sep 17 00:00:00 2001
   2 From: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
   3 Date: Fri, 22 Feb 2019 16:21:05 +0200
   4 Subject: wil6210: check null pointer in _wil_cfg80211_merge_extra_ies
   5
   6 [ Upstream commit de77a53c2d1e8fb3621e63e8e1f0f0c9a1a99ff7 ]
   7
   8 ies1 or ies2 might be null when code inside
   9 _wil_cfg80211_merge_extra_ies access them.
  10 Add explicit check for null and make sure ies1/ies2 are not
  11 accessed in such a case.
  12
  13 spos might be null and be accessed inside
  14 _wil_cfg80211_merge_extra_ies.
  15 Add explicit check for null in the while condition statement
  16 and make sure spos is not accessed in such a case.
  17
  18 Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
  19 Signed-off-by: Maya Erez <merez@codeaurora.org>
  20 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  21 Signed-off-by: Sasha Levin <sashal@kernel.org>
  22 ---
  23  drivers/net/wireless/ath/wil6210/cfg80211.c | 14 +++++++++++---
  24  1 file changed, 11 insertions(+), 3 deletions(-)
  25
  26 diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
  27 index f79c337105cb..2daf33342b23 100644
  28 --- a/drivers/net/wireless/ath/wil6210/cfg80211.c
  29 +++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
  30 @@ -1420,6 +1420,12 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len,
  31         u8 *buf, *dpos;
  32         const u8 *spos;
  33
  34 +       if (!ies1)
  35 +               ies1_len = 0;
  36 +
  37 +       if (!ies2)
  38 +               ies2_len = 0;
  39 +
  40         if (ies1_len == 0 && ies2_len == 0) {
  41                 *merged_ies = NULL;
  42                 *merged_len = 0;
  43 @@ -1429,17 +1435,19 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len,
  44         buf = kmalloc(ies1_len + ies2_len, GFP_KERNEL);
  45         if (!buf)
  46                 return -ENOMEM;
  47 -       memcpy(buf, ies1, ies1_len);
  48 +       if (ies1)
  49 +               memcpy(buf, ies1, ies1_len);
  50         dpos = buf + ies1_len;
  51         spos = ies2;
  52 -       while (spos + 1 < ies2 + ies2_len) {
  53 +       while (spos && (spos + 1 < ies2 + ies2_len)) {
  54                 /* IE tag at offset 0, length at offset 1 */
  55                 u16 ielen = 2 + spos[1];
  56
  57                 if (spos + ielen > ies2 + ies2_len)
  58                         break;
  59                 if (spos[0] == WLAN_EID_VENDOR_SPECIFIC &&
  60 -                   !_wil_cfg80211_find_ie(ies1, ies1_len, spos, ielen)) {
  61 +                   (!ies1 || !_wil_cfg80211_find_ie(ies1, ies1_len,
  62 +                                                    spos, ielen))) {
  63                         memcpy(dpos, spos, ielen);
  64                         dpos += ielen;
  65                 }
  66 --
  67 2.19.1
  68