brcmfmac: fix out of bound access on clearing wowl wake indicator
authorHante Meuleman <hante.meuleman@broadcom.com>
Mon, 19 Sep 2016 11:09:58 +0000 (12:09 +0100)
committerKalle Valo <kvalo@codeaurora.org>
Mon, 26 Sep 2016 17:35:55 +0000 (20:35 +0300)
Clearing the wowl wakeindicator happens with a rather odd
construction where the string "clear" is used to set the iovar
wowl_wakeind. This was implemented incorrectly as it caused an
out of bound access. Use an intermediate variable of correct
length and copy string in that. Problem was found using coverity.

Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c

index 0f2667e95e81ce0a8a22273cd92d80738bfb4a95..d97d6b153d6a1c5f66d339002b76010c09eafd28 100644 (file)
@@ -3703,6 +3703,7 @@ static void brcmf_configure_wowl(struct brcmf_cfg80211_info *cfg,
                                 struct cfg80211_wowlan *wowl)
 {
        u32 wowl_config;
+       struct brcmf_wowl_wakeind_le wowl_wakeind;
        u32 i;
 
        brcmf_dbg(TRACE, "Suspend, wowl config.\n");
@@ -3744,8 +3745,9 @@ static void brcmf_configure_wowl(struct brcmf_cfg80211_info *cfg,
        if (!test_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state))
                wowl_config |= BRCMF_WOWL_UNASSOC;
 
-       brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", "clear",
-                                sizeof(struct brcmf_wowl_wakeind_le));
+       memcpy(&wowl_wakeind, "clear", 6);
+       brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", &wowl_wakeind,
+                                sizeof(wowl_wakeind));
        brcmf_fil_iovar_int_set(ifp, "wowl", wowl_config);
        brcmf_fil_iovar_int_set(ifp, "wowl_activate", 1);
        brcmf_bus_wowl_config(cfg->pub->bus_if, true);