2014-01-08 23:46:21

by Bing Zhao

[permalink] [raw]
Subject: [PATCH 1/2] mwifiex: fix potential buffer overflow in dt configuration

If cfgdata length exceeds the command buffer size we will end up
getting buffer overflow problem. Fix it by checking the buffer
size less the command header length.

Reviewed-by: Paul Stewart <[email protected]>
Signed-off-by: Bing Zhao <[email protected]>
---
drivers/net/wireless/mwifiex/sta_cmd.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/drivers/net/wireless/mwifiex/sta_cmd.c b/drivers/net/wireless/mwifiex/sta_cmd.c
index 9c2404c..9208a88 100644
--- a/drivers/net/wireless/mwifiex/sta_cmd.c
+++ b/drivers/net/wireless/mwifiex/sta_cmd.c
@@ -1170,8 +1170,9 @@ int mwifiex_dnld_dt_cfgdata(struct mwifiex_private *priv,
strncmp(prop->name, prefix, len))
continue;

- /* property header is 6 bytes */
- if (prop && prop->value && prop->length > 6) {
+ /* property header is 6 bytes, data must fit in cmd buffer */
+ if (prop && prop->value && prop->length > 6 &&
+ prop->length <= MWIFIEX_SIZE_OF_CMD_BUFFER - S_DS_GEN) {
ret = mwifiex_send_cmd_sync(priv, HostCmd_CMD_CFG_DATA,
HostCmd_ACT_GEN_SET, 0,
prop);
--
1.8.2.3



2014-01-08 23:46:18

by Bing Zhao

[permalink] [raw]
Subject: [PATCH 2/2] mwifiex: use a function to replace two copies of a code fragment

Instead of having two copies of the code for device tree cfgdata
downloading, add a function to improve the code.

Reviewed-by: Paul Stewart <[email protected]>
Signed-off-by: Bing Zhao <[email protected]>
---
drivers/net/wireless/mwifiex/cfg80211.c | 9 +--------
drivers/net/wireless/mwifiex/main.h | 1 +
drivers/net/wireless/mwifiex/sta_ioctl.c | 17 +++++++++++------
3 files changed, 13 insertions(+), 14 deletions(-)

diff --git a/drivers/net/wireless/mwifiex/cfg80211.c b/drivers/net/wireless/mwifiex/cfg80211.c
index b994679..e7c81ab 100644
--- a/drivers/net/wireless/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/mwifiex/cfg80211.c
@@ -563,14 +563,7 @@ static void mwifiex_reg_notifier(struct wiphy *wiphy,
memcpy(adapter->country_code, request->alpha2,
sizeof(request->alpha2));
mwifiex_send_domain_info_cmd_fw(wiphy);
-
- if (adapter->dt_node) {
- char txpwr[] = {"marvell,00_txpwrlimit"};
-
- memcpy(&txpwr[8], adapter->country_code, 2);
- mwifiex_dnld_dt_cfgdata(priv, adapter->dt_node,
- txpwr);
- }
+ mwifiex_dnld_txpwr_table(priv);
}
}

diff --git a/drivers/net/wireless/mwifiex/main.h b/drivers/net/wireless/mwifiex/main.h
index ab34164..d8ad554 100644
--- a/drivers/net/wireless/mwifiex/main.h
+++ b/drivers/net/wireless/mwifiex/main.h
@@ -1155,6 +1155,7 @@ void mwifiex_11h_process_join(struct mwifiex_private *priv, u8 **buffer,
int mwifiex_11h_handle_event_chanswann(struct mwifiex_private *priv);
int mwifiex_dnld_dt_cfgdata(struct mwifiex_private *priv,
struct device_node *node, const char *prefix);
+void mwifiex_dnld_txpwr_table(struct mwifiex_private *priv);

extern const struct ethtool_ops mwifiex_ethtool_ops;

diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
index 3edc92f..c5cb2ed 100644
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -184,6 +184,16 @@ int mwifiex_fill_new_bss_desc(struct mwifiex_private *priv,
return mwifiex_update_bss_desc_with_ie(priv->adapter, bss_desc);
}

+void mwifiex_dnld_txpwr_table(struct mwifiex_private *priv)
+{
+ if (priv->adapter->dt_node) {
+ char txpwr[] = {"marvell,00_txpwrlimit"};
+
+ memcpy(&txpwr[8], priv->adapter->country_code, 2);
+ mwifiex_dnld_dt_cfgdata(priv, priv->adapter->dt_node, txpwr);
+ }
+}
+
static int mwifiex_process_country_ie(struct mwifiex_private *priv,
struct cfg80211_bss *bss)
{
@@ -234,12 +244,7 @@ static int mwifiex_process_country_ie(struct mwifiex_private *priv,
return -1;
}

- if (priv->adapter->dt_node) {
- char txpwr[] = {"marvell,00_txpwrlimit"};
-
- memcpy(&txpwr[8], priv->adapter->country_code, 2);
- mwifiex_dnld_dt_cfgdata(priv, priv->adapter->dt_node, txpwr);
- }
+ mwifiex_dnld_txpwr_table(priv);

return 0;
}
--
1.8.2.3