From 0e973fee3a330c2a2ccff07b5ee8aa546e552b51 Mon Sep 17 00:00:00 2001
From: Zhao Xuewen <zhaoxuewen@huawei.com>
Date: Fri, 8 Apr 2016 10:46:09 +0800
Subject: [PATCH] net: wireless: bcmdhd: validate remaining space in WPS IE

Validate the amount of remaining space in the WPS IE
to prevent reading past the end of the buffer.

Change-Id: I897ef4c54b6830f1f24bb958965bdf6c3b83758a
Signed-off-by: Patrick Tjin <pattjin@google.com>
---
 drivers/net/wireless/bcmdhd/wl_cfg80211.c | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 6d75d5704ae0..56114346f09e 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -1138,7 +1138,14 @@ wl_validate_wps_ie(char *wps_ie, s32 wps_ie_len, bool *pbc)
 		subelt_len = HTON16(val);
 
 		len -= 4;			/* for the attr id, attr len fields */
+
+		if (len < subelt_len) {
+			WL_ERR(("not enough data, len %d, subelt_len %d\n", len,
+				subelt_len));
+			break;
+		}
 		len -= subelt_len;	/* for the remaining fields in this attribute */
+
 		WL_DBG((" subel=%p, subelt_id=0x%x subelt_len=%u\n",
 			subel, subelt_id, subelt_len));
 
-- 
GitLab