!9668 wifi: nl80211: Avoid address calculations via out of bounds array indexing (a89f0dfe) · Commits · EulixOS / Software / Kernel

net/wireless/nl80211.c

+7 −7

Original line number	Diff line number	Diff line
		@@ -9153,6 +9153,7 @@ static int nl80211_trigger_scan(struct sk_buff skb, struct genl_info info)
		struct wiphy *wiphy;
		int err, tmp, n_ssids = 0, n_channels, i;
		size_t ie_len, size;
		size_t ssids_offset, ie_offset;

		wiphy = &rdev->wiphy;

		@@ -9198,21 +9199,20 @@ static int nl80211_trigger_scan(struct sk_buff skb, struct genl_info info)
		return -EINVAL;

		size = struct_size(request, channels, n_channels);
		ssids_offset = size;
		size = size_add(size, array_size(sizeof(*request->ssids), n_ssids));
		ie_offset = size;
		size = size_add(size, ie_len);
		request = kzalloc(size, GFP_KERNEL);
		if (!request)
		return -ENOMEM;
		request->n_channels = n_channels;

		if (n_ssids)
		request->ssids = (void *)&request->channels[n_channels];
		request->ssids = (void *)request + ssids_offset;
		request->n_ssids = n_ssids;
		if (ie_len) {
		if (n_ssids)
		request->ie = (void *)(request->ssids + n_ssids);
		else
		request->ie = (void *)(request->channels + n_channels);
		}
		if (ie_len)
		request->ie = (void *)request + ie_offset;

		i = 0;
		if (scan_freqs) {