On Mon, Feb 10, 2020 at 06:36:01PM +0000, Ajay.Kathat@xxxxxxxxxxxxx wrote:
> + if (sta_ch == WILC_INVALID_CHANNEL)
> + return;
>
> while (index < len) {
This range checking was there in the original code, but it's not
correct. index and len are in terms of bytes so we know that we can
read one byte from &buf[index] but we are reading a wilc_attr_entry
struct which is larger than a type. The struct is actually flexibly
sized so this should be something like:
while (index + sizeof(struct wilc_attr_entry) <= len) {
e = (struct wilc_attr_entry *)&buf[index];
if (index + sizeof(struct wilc_attr_entry) +
le16_to_cpu(e->attr_len) > len)
break;
> - if (buf[index] == CHANLIST_ATTR_ID)
> - channel_list_attr_index = index;
> - else if (buf[index] == OPERCHAN_ATTR_ID)
> - op_channel_attr_index = index;
> - index += buf[index + 1] + 3;
> + e = (struct wilc_attr_entry *)&buf[index];
> + if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST)
> + ch_list_idx = index;
> + else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL)
> + op_ch_idx = index;
> + if (ch_list_idx && op_ch_idx)
> + break;
> + index += le16_to_cpu(e->attr_len) + sizeof(*e);
> }
regards,
dan carpenter
