1 From 46953f97224d56a12ccbe9c6acaa84ca0dab2780 Mon Sep 17 00:00:00 2001
2 From: Kangjie Lu <kjlu@umn.edu>
3 Date: Fri, 15 Mar 2019 12:04:32 -0500
4 Subject: [PATCH] brcmfmac: fix missing checks for kmemdup
6 In case kmemdup fails, the fix sets conn_info->req_ie_len and
7 conn_info->resp_ie_len to zero to avoid buffer overflows.
9 Signed-off-by: Kangjie Lu <kjlu@umn.edu>
10 Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
11 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
13 drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
14 1 file changed, 4 insertions(+)
16 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
17 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
18 @@ -5456,6 +5456,8 @@ static s32 brcmf_get_assoc_ies(struct br
20 kmemdup(cfg->extra_buf, conn_info->req_ie_len,
22 + if (!conn_info->req_ie)
23 + conn_info->req_ie_len = 0;
25 conn_info->req_ie_len = 0;
26 conn_info->req_ie = NULL;
27 @@ -5472,6 +5474,8 @@ static s32 brcmf_get_assoc_ies(struct br
29 kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
31 + if (!conn_info->resp_ie)
32 + conn_info->resp_ie_len = 0;
34 conn_info->resp_ie_len = 0;
35 conn_info->resp_ie = NULL;