wil6210: check null pointer in _wil_cfg80211_merge_extra_ies

ies1 or ies2 might be null when code inside
_wil_cfg80211_merge_extra_ies access them.
Add explicit check for null and make sure ies1/ies2 are not
accessed in such a case.

spos might be null and be accessed inside
_wil_cfg80211_merge_extra_ies.
Add explicit check for null in the while condition statement
and make sure spos is not accessed in such a case.

Signed-off-by: Alexei Avshalom Lazar <ailizaro@codeaurora.org>
Signed-off-by: Maya Erez <merez@codeaurora.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
This commit is contained in:
Alexei Avshalom Lazar 2019-02-22 16:21:05 +02:00 committed by Kalle Valo
parent 979c9d8d01
commit de77a53c2d
1 changed files with 11 additions and 3 deletions

View File

@ -1580,6 +1580,12 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len,
u8 *buf, *dpos;
const u8 *spos;
if (!ies1)
ies1_len = 0;
if (!ies2)
ies2_len = 0;
if (ies1_len == 0 && ies2_len == 0) {
*merged_ies = NULL;
*merged_len = 0;
@ -1589,17 +1595,19 @@ static int _wil_cfg80211_merge_extra_ies(const u8 *ies1, u16 ies1_len,
buf = kmalloc(ies1_len + ies2_len, GFP_KERNEL);
if (!buf)
return -ENOMEM;
memcpy(buf, ies1, ies1_len);
if (ies1)
memcpy(buf, ies1, ies1_len);
dpos = buf + ies1_len;
spos = ies2;
while (spos + 1 < ies2 + ies2_len) {
while (spos && (spos + 1 < ies2 + ies2_len)) {
/* IE tag at offset 0, length at offset 1 */
u16 ielen = 2 + spos[1];
if (spos + ielen > ies2 + ies2_len)
break;
if (spos[0] == WLAN_EID_VENDOR_SPECIFIC &&
!_wil_cfg80211_find_ie(ies1, ies1_len, spos, ielen)) {
(!ies1 || !_wil_cfg80211_find_ie(ies1, ies1_len,
spos, ielen))) {
memcpy(dpos, spos, ielen);
dpos += ielen;
}