package/kernel/mac80211/patches/brcm/365-v5.2-brcmfmac-fix-missing-checks-for-kmemdup.patch

   1 From 46953f97224d56a12ccbe9c6acaa84ca0dab2780 Mon Sep 17 00:00:00 2001
   2 From: Kangjie Lu <kjlu@umn.edu>
   3 Date: Fri, 15 Mar 2019 12:04:32 -0500
   4 Subject: [PATCH] brcmfmac: fix missing checks for kmemdup
   5
   6 In case kmemdup fails, the fix sets conn_info->req_ie_len and
   7 conn_info->resp_ie_len to zero to avoid buffer overflows.
   8
   9 Signed-off-by: Kangjie Lu <kjlu@umn.edu>
  10 Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com>
  11 Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
  12 ---
  13  drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 4 ++++
  14  1 file changed, 4 insertions(+)
  15
  16 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
  17 +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
  18 @@ -5456,6 +5456,8 @@ static s32 brcmf_get_assoc_ies(struct br
  19                 conn_info->req_ie =
  20                     kmemdup(cfg->extra_buf, conn_info->req_ie_len,
  21                             GFP_KERNEL);
  22 +               if (!conn_info->req_ie)
  23 +                       conn_info->req_ie_len = 0;
  24         } else {
  25                 conn_info->req_ie_len = 0;
  26                 conn_info->req_ie = NULL;
  27 @@ -5472,6 +5474,8 @@ static s32 brcmf_get_assoc_ies(struct br
  28                 conn_info->resp_ie =
  29                     kmemdup(cfg->extra_buf, conn_info->resp_ie_len,
  30                             GFP_KERNEL);
  31 +               if (!conn_info->resp_ie)
  32 +                       conn_info->resp_ie_len = 0;
  33         } else {
  34                 conn_info->resp_ie_len = 0;
  35                 conn_info->resp_ie = NULL;