From: Dan Carpenter <dan.carpenter@xxxxxxxxxx> [ Upstream commit d59dc92f1bccd5acde793aebdbb4f7121cf3f9af ] The "rates_len" value needs to be capped so that the memcpy() doesn't copy beyond the end of the array. Fixes: c5c77ba18ea6 ("staging: wilc1000: Add SDIO/SPI 802.11 driver") Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx> Reviewed-by: Adham Abozaeid <adham.abozaeid@xxxxxxxxxxxxx> Link: https://lore.kernel.org/r/20191017091832.GB31278@mwanda Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx> --- drivers/staging/wilc1000/wilc_hif.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/drivers/staging/wilc1000/wilc_hif.c b/drivers/staging/wilc1000/wilc_hif.c index d3d9ea284816a..77d0732f451be 100644 --- a/drivers/staging/wilc1000/wilc_hif.c +++ b/drivers/staging/wilc1000/wilc_hif.c @@ -473,6 +473,8 @@ void *wilc_parse_join_bss_param(struct cfg80211_bss *bss, rates_ie = cfg80211_find_ie(WLAN_EID_SUPP_RATES, ies->data, ies->len); if (rates_ie) { rates_len = rates_ie[1]; + if (rates_len > WILC_MAX_RATES_SUPPORTED) + rates_len = WILC_MAX_RATES_SUPPORTED; param->supp_rates[0] = rates_len; memcpy(¶m->supp_rates[1], rates_ie + 2, rates_len); } -- 2.20.1