net: wireless: bcmdhd: Do not print out device name on invalid length

(cherry picked from commit b149dd5d22c3e4c2faab0bb934a018888ff99ef3) Signed-off-by: Patrick Tjin <pattjin@google.com> Bug: 27335848 [fixes CVE-2016-0801] Signed-off-by: Kees Cook <keescook@chromium.org> Change-Id: I5cfc20061930080508f31ad2c198a4aca55caa6e
author: Patrick Tjin <pattjin@google.com> 2016-02-11 13:20:44 -0800
committer: Kees Cook <keescook@chromium.org> 2016-03-10 13:13:36 -0800
commit: 9f6c596b5e4402a8d74606f18138bf8b9aae0cea (patch)
tree: be8b602ee0393ef93f185ea2b6b1f05c5351111c
parent: 9466667a5f324c898aafd2e886cf924b69ecce19 (diff)
download: v4.1-9f6c596b5e4402a8d74606f18138bf8b9aae0cea.tar.gz
1 files changed, 6 insertions, 4 deletions
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 3e9906180d9..861afc9cead 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -1325,10 +1325,12 @@ wl_validate_wps_ie(char *wps_ie, s32 wps_ie_len, bool *pbc)
 		} else if (subelt_id == WPS_ID_DEVICE_NAME) {
 			char devname[100];
 			size_t namelen = MIN(subelt_len, sizeof(devname));
-			memcpy(devname, subel, namelen);
-			devname[namelen-1] = '\0';
-			WL_DBG(("  attr WPS_ID_DEVICE_NAME: %s (len %u)\n",
-				devname, subelt_len));
+			if (namelen) {
+				memcpy(devname, subel, namelen);
+				devname[namelen - 1] = '\0';
+				WL_DBG(("  attr WPS_ID_DEVICE_NAME: %s (len %u)\n",
+					devname, subelt_len));
+			}
 		} else if (subelt_id == WPS_ID_DEVICE_PWD_ID) {
 			valptr[0] = *subel;
 			valptr[1] = *(subel + 1);
author	Patrick Tjin <pattjin@google.com>	2016-02-11 13:20:44 -0800
committer	Kees Cook <keescook@chromium.org>	2016-03-10 13:13:36 -0800
commit	9f6c596b5e4402a8d74606f18138bf8b9aae0cea (patch)
tree	be8b602ee0393ef93f185ea2b6b1f05c5351111c
parent	9466667a5f324c898aafd2e886cf924b69ecce19 (diff)
download	v4.1-9f6c596b5e4402a8d74606f18138bf8b9aae0cea.tar.gz