diff options
author | Patrick Tjin <pattjin@google.com> | 2016-02-11 13:20:44 -0800 |
---|---|---|
committer | Kees Cook <keescook@chromium.org> | 2016-03-10 13:13:36 -0800 |
commit | 9f6c596b5e4402a8d74606f18138bf8b9aae0cea (patch) | |
tree | be8b602ee0393ef93f185ea2b6b1f05c5351111c | |
parent | 9466667a5f324c898aafd2e886cf924b69ecce19 (diff) | |
download | v4.1-9f6c596b5e4402a8d74606f18138bf8b9aae0cea.tar.gz |
net: wireless: bcmdhd: Do not print out device name on invalid length
(cherry picked from commit b149dd5d22c3e4c2faab0bb934a018888ff99ef3)
Signed-off-by: Patrick Tjin <pattjin@google.com>
Bug: 27335848
[fixes CVE-2016-0801]
Signed-off-by: Kees Cook <keescook@chromium.org>
Change-Id: I5cfc20061930080508f31ad2c198a4aca55caa6e
-rw-r--r-- | drivers/net/wireless/bcmdhd/wl_cfg80211.c | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c index 3e9906180d9..861afc9cead 100644 --- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c +++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c @@ -1325,10 +1325,12 @@ wl_validate_wps_ie(char *wps_ie, s32 wps_ie_len, bool *pbc) } else if (subelt_id == WPS_ID_DEVICE_NAME) { char devname[100]; size_t namelen = MIN(subelt_len, sizeof(devname)); - memcpy(devname, subel, namelen); - devname[namelen-1] = '\0'; - WL_DBG((" attr WPS_ID_DEVICE_NAME: %s (len %u)\n", - devname, subelt_len)); + if (namelen) { + memcpy(devname, subel, namelen); + devname[namelen - 1] = '\0'; + WL_DBG((" attr WPS_ID_DEVICE_NAME: %s (len %u)\n", + devname, subelt_len)); + } } else if (subelt_id == WPS_ID_DEVICE_PWD_ID) { valptr[0] = *subel; valptr[1] = *(subel + 1); |