From: Zhang Xiaohui <ruc_zhangxiaohui@xxxxxxx> mwifiex_config_scan() calls memcpy() without checking the destination size may trigger a buffer overflower, which a local user could use to cause denial of service or the execution of arbitrary code. Fix it by putting the length check before calling memcpy(). Signed-off-by: Zhang Xiaohui <ruc_zhangxiaohui@xxxxxxx> --- drivers/net/wireless/marvell/mwifiex/scan.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c index c2a685f63..34293fd80 100644 --- a/drivers/net/wireless/marvell/mwifiex/scan.c +++ b/drivers/net/wireless/marvell/mwifiex/scan.c @@ -931,7 +931,7 @@ mwifiex_config_scan(struct mwifiex_private *priv, wildcard_ssid_tlv->max_ssid_length = 0xfe; memcpy(wildcard_ssid_tlv->ssid, - user_scan_in->ssid_list[i].ssid, ssid_len); + user_scan_in->ssid_list[i].ssid, min_t(u32, ssid_len, 1)); tlv_pos += (sizeof(wildcard_ssid_tlv->header) + le16_to_cpu(wildcard_ssid_tlv->header.len)); -- 2.17.1
