From: Luca Coelho <luciano.coelho@xxxxxxxxx>
Make sure the length of the ciphers we are copying never exceeds the
space we have for storing them. There is no risk of overcopying at
the moment, because we check n_params before, but this makes this
function safer in case someone changes something in the future.
Signed-off-by: Luca Coelho <luciano.coelho@xxxxxxxxx>
---
drivers/net/wireless/mac80211_hwsim.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/mac80211_hwsim.c b/drivers/net/wireless/mac80211_hwsim.c
index 0838af04d681..809a75357113 100644
--- a/drivers/net/wireless/mac80211_hwsim.c
+++ b/drivers/net/wireless/mac80211_hwsim.c
@@ -3,7 +3,7 @@
* Copyright (c) 2008, Jouni Malinen <j@xxxxx>
* Copyright (c) 2011, Javier Lopez <jlopex@xxxxxxxxx>
* Copyright (c) 2016 - 2017 Intel Deutschland GmbH
- * Copyright (C) 2018 Intel Corporation
+ * Copyright (C) 2018 - 2019 Intel Corporation
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -2776,10 +2776,14 @@ static int mac80211_hwsim_new_radio(struct genl_info *info,
hw->wiphy->n_iface_combinations = 1;
if (param->ciphers) {
- memcpy(data->ciphers, param->ciphers,
- param->n_ciphers * sizeof(u32));
+ int ciphers_len = param->n_ciphers * sizeof(data->ciphers[0]);
+
+ if (WARN_ON_ONCE(ciphers_len > sizeof(data->ciphers)))
+ ciphers_len = sizeof(data->ciphers);
+
+ memcpy(data->ciphers, param->ciphers, ciphers_len);
hw->wiphy->cipher_suites = data->ciphers;
- hw->wiphy->n_cipher_suites = param->n_ciphers;
+ hw->wiphy->n_cipher_suites = ciphers_len / sizeof(data->ciphers[0]);
}
INIT_DELAYED_WORK(&data->roc_start, hw_roc_start);
--
2.20.1
