Minsuk Kang <linuxlovemin@xxxxxxxxxxxx> wrote:
> v1->v2: Added a macro BRCMF_MAX_CHANSPEC_LIST
>
> .../broadcom/brcm80211/brcmfmac/cfg80211.c | 17 +++++++++++++++++
> 1 file changed, 17 insertions(+)
>
> diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> index ae9507dec74a..bff3128c2f26 100644
> --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
> @@ -101,6 +101,9 @@
> #define BRCMF_ASSOC_PARAMS_FIXED_SIZE \
> (sizeof(struct brcmf_assoc_params_le) - sizeof(u16))
>
> +#define BRCMF_MAX_CHANSPEC_LIST \
> + (BRCMF_DCMD_MEDLEN / sizeof(__le32) - 1)
> +
> struct brcmf_dump_survey {
> u32 obss;
> u32 ibss;
> @@ -6840,6 +6843,13 @@ static int brcmf_construct_chaninfo(struct brcmf_cfg80211_info *cfg,
> band->channels[i].flags = IEEE80211_CHAN_DISABLED;
>
> total = le32_to_cpu(list->count);
> + if (total > BRCMF_MAX_CHANSPEC_LIST) {
> + bphy_err(drvr, "Invalid count of channel Spec. (%u)\n",
> + total);
> + err = -EINVAL;
> + goto fail_pbuf;
> + }
> +
> for (i = 0; i < total; i++) {
> ch.chspec = (u16)le32_to_cpu(list->element[i]);
> cfg->d11inf.decchspec(&ch);
> @@ -6985,6 +6995,13 @@ static int brcmf_enable_bw40_2g(struct brcmf_cfg80211_info *cfg)
> band = cfg_to_wiphy(cfg)->bands[NL80211_BAND_2GHZ];
> list = (struct brcmf_chanspec_list *)pbuf;
> num_chan = le32_to_cpu(list->count);
> + if (num_chan > BRCMF_MAX_CHANSPEC_LIST) {
> + bphy_err(drvr, "Invalid count of channel Spec. (%u)\n",
> + num_chan);
> + kfree(pbuf);
> + return -EINVAL;
> + }
> +
> for (i = 0; i < num_chan; i++) {
> ch.chspec = (u16)le32_to_cpu(list->element[i]);
> cfg->d11inf.decchspec(&ch);
I have incorporated your review in this patch.
Please let me know if any further changes are needed.
