mwifiex: fix potential buffer overflow in dt configuration If cfgdata length exceeds the command buffer size we will end up getting buffer overflow problem. Fix it by checking the buffer size less the command header length. Reviewed-by: Paul Stewart <pstew@chromium.org> Signed-off-by: Bing Zhao <bzhao@marvell.com> Signed-off-by: John W. Linville <linville@tuxdriver.com>

commit: 63791ccd4690e5c6b3f060bcd2b846e31bd0b423 [log] [tgz]
author: Bing Zhao <bzhao@marvell.com> Wed Jan 08 15:45:56 2014 -0800
committer: John W. Linville <linville@tuxdriver.com> Thu Jan 09 10:56:40 2014 -0500
tree: ae3353022595d1dcffb30641aa9e6f60139c4f5f
parent: 1cbbcb08c786964a16773c39f2536f1923c73c58 [diff]
diff --git a/drivers/net/wireless/mwifiex/sta_cmd.c b/drivers/net/wireless/mwifiex/sta_cmd.c
index 9c2404c..9208a88 100644
--- a/drivers/net/wireless/mwifiex/sta_cmd.c
+++ b/drivers/net/wireless/mwifiex/sta_cmd.c

@@ -1170,8 +1170,9 @@
 		    strncmp(prop->name, prefix, len))
 			continue;
 
-		/* property header is 6 bytes */
-		if (prop && prop->value && prop->length > 6) {
+		/* property header is 6 bytes, data must fit in cmd buffer */
+		if (prop && prop->value && prop->length > 6 &&
+		    prop->length <= MWIFIEX_SIZE_OF_CMD_BUFFER - S_DS_GEN) {
 			ret = mwifiex_send_cmd_sync(priv, HostCmd_CMD_CFG_DATA,
 						    HostCmd_ACT_GEN_SET, 0,
 						    prop);
commit	63791ccd4690e5c6b3f060bcd2b846e31bd0b423	[log] [tgz]
author	Bing Zhao <bzhao@marvell.com>	Wed Jan 08 15:45:56 2014 -0800
committer	John W. Linville <linville@tuxdriver.com>	Thu Jan 09 10:56:40 2014 -0500
tree	ae3353022595d1dcffb30641aa9e6f60139c4f5f
parent	1cbbcb08c786964a16773c39f2536f1923c73c58 [diff]