If cfgdata length exceeds the command buffer size we will end up
getting buffer overflow problem. Fix it by checking the buffer
size less the command header length.
Reviewed-by: Paul Stewart <pstew@chromium.org>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
strncmp(prop->name, prefix, len))
continue;
- /* property header is 6 bytes */
- if (prop && prop->value && prop->length > 6) {
+ /* property header is 6 bytes, data must fit in cmd buffer */
+ if (prop && prop->value && prop->length > 6 &&
+ prop->length <= MWIFIEX_SIZE_OF_CMD_BUFFER - S_DS_GEN) {
ret = mwifiex_send_cmd_sync(priv, HostCmd_CMD_CFG_DATA,
HostCmd_ACT_GEN_SET, 0,
prop);