skyfall/rtl8188eu
1
0
Fork 0
mirror of https://github.com/lwfinger/rtl8188eu.git synced 2024-11-26 06:23:38 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

rtl8188eu: Rework section tgat fails in AP mode

Browse source 
The failure location points to an memcpy() call. Check the length
parameter and report an out-of-bounds value.

Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
This commit is contained in:
Larry Finger 2023-07-03 12:53:19 -05:00
parent c3ec302f58
commit 0c5f2e7112
1 changed files with 6 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
rtw_mlme_ext.c
View file

@ -12864,6 +12864,8 @@ u8 createbss_hdl(_adapter *padapter, u8 *pbuf)
/* below is for ad-hoc master */
if (parm->adhoc) {
int tmp_len;
rtw_warn_on(pdev_network->InfrastructureMode != Ndis802_11IBSS);
rtw_joinbss_reset(padapter);
@ -12892,12 +12894,14 @@ u8 createbss_hdl(_adapter *padapter, u8 *pbuf)
flush_all_cam_entry(padapter);
pdev_network->Length = get_WLAN_BSSID_EX_sz(pdev_network);
if (FIELD_OFFSET(WLAN_BSSID_EX, IELength) > MAX_IE_SZ) {
tmp_len = FIELD_OFFSET(WLAN_BSSID_EX, IELength);
if (tmp_len >= MAX_IE_SZ || tmp_len >= sizeof(pnetwork)){
pr_info("********** tmp_len too large, value = 0x%x\n", tmp_len);
ret = H2C_PARAMETERS_ERROR;
goto ibss_post_hdl;
}
memcpy(pnetwork, pdev_network, FIELD_OFFSET(WLAN_BSSID_EX, IELength));
memcpy(pnetwork, pdev_network, tmp_len);
pnetwork->IELength = pdev_network->IELength;
memcpy(pnetwork->IEs, pdev_network->IEs, pnetwork->IELength);