Skip to content
Commit 69ae4f6a authored by Takashi Iwai's avatar Takashi Iwai Committed by Kalle Valo
Browse files

mwifiex: Fix heap overflow in mwifiex_uap_parse_tail_ies()



A few places in mwifiex_uap_parse_tail_ies() perform memcpy()
unconditionally, which may lead to either buffer overflow or read over
boundary.

This patch addresses the issues by checking the read size and the
destination size at each place more properly.  Along with the fixes,
the patch cleans up the code slightly by introducing a temporary
variable for the token size, and unifies the error path with the
standard goto statement.

Reported-by: default avatarhuangwen <huangwen@venustech.com.cn>
Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
Signed-off-by: default avatarKalle Valo <kvalo@codeaurora.org>
parent 5f4d55d5
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment