Bugzilla: 757944
Brew: <https://brewweb.devel.redhat.com/taskinfo?taskID=5738553>
Upstream Status: 0d61c9177cb9bf48dcec9c3d9205a309085d4318
Tested: By me. Acceptable. See BZ for details
Dynamically allocate the probe response template which
avoids potential stack corruption. Observed with smatch:
drivers/net/wireless/brcm80211/brcmsmac/main.c:7412 brcms_c_bss_update_probe_resp()
warn: 'prb_resp' puts 512 bytes on stack
Cc: Brett Rudley <[email protected]>
Cc: Arend van Spriel <[email protected]>
Cc: "Franky (Zhenhui) Lin" <[email protected]>
Cc: Hante Meuleman <[email protected]>
Cc: "John W. Linville" <[email protected]>
Cc: Seth Forshee <[email protected]>
Cc: Pieter-Paul Giesberts <[email protected]>
Cc: Hauke Mehrtens <[email protected]>
Cc: [email protected]
Cc: [email protected]
Cc: [email protected]
Signed-off-by: Tim Gardner <[email protected]>
Acked-by: Arend van Spriel <[email protected]>
Signed-off-by: John W. Linville <[email protected]>
---
drivers/net/wireless/brcm80211/brcmsmac/main.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/brcm80211/brcmsmac/main.c b/drivers/net/wireless/brcm80211/brcmsmac/main.c
index c72fbab..8ec610e 100644
--- a/drivers/net/wireless/brcm80211/brcmsmac/main.c
+++ b/drivers/net/wireless/brcm80211/brcmsmac/main.c
@@ -7398,9 +7398,13 @@ brcms_c_bss_update_probe_resp(struct brcms_c_info *wlc,
struct brcms_bss_cfg *cfg,
bool suspend)
{
- u16 prb_resp[BCN_TMPL_LEN / 2];
+ u16 *prb_resp;
int len = BCN_TMPL_LEN;
+ prb_resp = kmalloc(BCN_TMPL_LEN, GFP_ATOMIC);
+ if (!prb_resp)
+ return;
+
/*
* write the probe response to hardware, or save in
* the config structure
@@ -7434,6 +7438,8 @@ brcms_c_bss_update_probe_resp(struct brcms_c_info *wlc,
if (suspend)
brcms_c_enable_mac(wlc);
+
+ kfree(prb_resp);
}
void brcms_c_update_probe_resp(struct brcms_c_info *wlc, bool suspend)
--
1.7.11.7