Merge branch 'dev/FP2N-265' into staging/n/fp2
* dev/FP2N-265:
wlan: Fix OOB read in sme_RrmProcessBeaconReportReqInd
wlan: Fix possible integer underflow in cfg80211_rx_mgmt
wlan: Fix possible buffer overflow in sirConvertAddtsRsp2Struct
wlan: Fix OOB read in lim_process_deauth_frame
wlan: Fix integer truncation in convert_wsc_opaque
wlan: Fix buffer overwrite in csrRoamCheckForLinkStatusChange
wlan: Avoid int overflow in csr_scan_save_preferred_network_found()
Change-Id: I1d22543fd3e9a2ded22ae19bd6ee622d8d8d3870
diff --git a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c
index 9ed8070..2584ccb 100644
--- a/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c
+++ b/drivers/staging/prima/CORE/HDD/src/wlan_hdd_cfg80211.c
@@ -16574,6 +16574,12 @@
buf = nla_data(tb[WLAN_HDD_TM_ATTR_DATA]);
buf_len = nla_len(tb[WLAN_HDD_TM_ATTR_DATA]);
+ if (buf_len > sizeof(*hb_params)) {
+ hddLog(LOGE, FL("buf_len=%d exceeded hb_params size limit"),
+ buf_len);
+ return -ERANGE;
+ }
+
hb_params_temp =(tSirLPHBReq *)buf;
if ((hb_params_temp->cmd == LPHB_SET_TCP_PARAMS_INDID) &&
(hb_params_temp->params.lphbTcpParamReq.timePeriodSec == 0))
diff --git a/fs/pipe.c b/fs/pipe.c
index edd1c63..fc9a3a8 100644
--- a/fs/pipe.c
+++ b/fs/pipe.c
@@ -396,6 +396,7 @@
void *addr;
size_t chars = buf->len, remaining;
int error, atomic;
+ int offset;
if (chars > total_len)
chars = total_len;
@@ -409,9 +410,10 @@
atomic = !iov_fault_in_pages_write(iov, chars);
remaining = chars;
+ offset = buf->offset;
redo:
addr = ops->map(pipe, buf, atomic);
- error = pipe_iov_copy_to_user(iov, addr, &buf->offset,
+ error = pipe_iov_copy_to_user(iov, addr, &offset,
&remaining, atomic);
ops->unmap(pipe, buf, addr);
if (unlikely(error)) {
@@ -427,6 +429,7 @@
break;
}
ret += chars;
+ buf->offset += chars;
buf->len -= chars;
/* Was it a packet buffer? Clean up and exit */