mirror of
https://github.com/lwfinger/rtl8188eu.git
synced 2024-11-29 23:43:40 +00:00
rtl8188eu: Rework section tgat fails in AP mode
The failure location points to an memcpy() call. Check the length parameter and report an out-of-bounds value. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
This commit is contained in:
parent
c3ec302f58
commit
0c5f2e7112
1 changed files with 6 additions and 2 deletions
|
@ -12864,6 +12864,8 @@ u8 createbss_hdl(_adapter *padapter, u8 *pbuf)
|
||||||
|
|
||||||
/* below is for ad-hoc master */
|
/* below is for ad-hoc master */
|
||||||
if (parm->adhoc) {
|
if (parm->adhoc) {
|
||||||
|
int tmp_len;
|
||||||
|
|
||||||
rtw_warn_on(pdev_network->InfrastructureMode != Ndis802_11IBSS);
|
rtw_warn_on(pdev_network->InfrastructureMode != Ndis802_11IBSS);
|
||||||
rtw_joinbss_reset(padapter);
|
rtw_joinbss_reset(padapter);
|
||||||
|
|
||||||
|
@ -12892,12 +12894,14 @@ u8 createbss_hdl(_adapter *padapter, u8 *pbuf)
|
||||||
flush_all_cam_entry(padapter);
|
flush_all_cam_entry(padapter);
|
||||||
|
|
||||||
pdev_network->Length = get_WLAN_BSSID_EX_sz(pdev_network);
|
pdev_network->Length = get_WLAN_BSSID_EX_sz(pdev_network);
|
||||||
if (FIELD_OFFSET(WLAN_BSSID_EX, IELength) > MAX_IE_SZ) {
|
tmp_len = FIELD_OFFSET(WLAN_BSSID_EX, IELength);
|
||||||
|
if (tmp_len >= MAX_IE_SZ || tmp_len >= sizeof(pnetwork)){
|
||||||
|
pr_info("********** tmp_len too large, value = 0x%x\n", tmp_len);
|
||||||
ret = H2C_PARAMETERS_ERROR;
|
ret = H2C_PARAMETERS_ERROR;
|
||||||
goto ibss_post_hdl;
|
goto ibss_post_hdl;
|
||||||
}
|
}
|
||||||
|
|
||||||
memcpy(pnetwork, pdev_network, FIELD_OFFSET(WLAN_BSSID_EX, IELength));
|
memcpy(pnetwork, pdev_network, tmp_len);
|
||||||
pnetwork->IELength = pdev_network->IELength;
|
pnetwork->IELength = pdev_network->IELength;
|
||||||
|
|
||||||
memcpy(pnetwork->IEs, pdev_network->IEs, pnetwork->IELength);
|
memcpy(pnetwork->IEs, pdev_network->IEs, pnetwork->IELength);
|
||||||
|
|
Loading…
Reference in a new issue