Skip to content

Commit 46953f9

Browse files
kengiterKalle Valo
kengiter
authored and
Kalle Valo
committed
brcmfmac: fix missing checks for kmemdup
In case kmemdup fails, the fix sets conn_info->req_ie_len and conn_info->resp_ie_len to zero to avoid buffer overflows. Signed-off-by: Kangjie Lu <[email protected]> Acked-by: Arend van Spriel <[email protected]> Signed-off-by: Kalle Valo <[email protected]>
1 parent a9fd095 commit 46953f9

File tree

1 file changed

+4
-0
lines changed
  • drivers/net/wireless/broadcom/brcm80211/brcmfmac

1 file changed

+4
-0
lines changed

drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5464,6 +5464,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
54645464
conn_info->req_ie =
54655465
kmemdup(cfg->extra_buf, conn_info->req_ie_len,
54665466
GFP_KERNEL);
5467+
if (!conn_info->req_ie)
5468+
conn_info->req_ie_len = 0;
54675469
} else {
54685470
conn_info->req_ie_len = 0;
54695471
conn_info->req_ie = NULL;
@@ -5480,6 +5482,8 @@ static s32 brcmf_get_assoc_ies(struct brcmf_cfg80211_info *cfg,
54805482
conn_info->resp_ie =
54815483
kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
54825484
GFP_KERNEL);
5485+
if (!conn_info->resp_ie)
5486+
conn_info->resp_ie_len = 0;
54835487
} else {
54845488
conn_info->resp_ie_len = 0;
54855489
conn_info->resp_ie = NULL;

0 commit comments

Comments
 (0)