import PULS_20180308

[GitHub/mt8127/android_kernel_alcatel_ttab.git] / drivers / misc / mediatek / connectivity / conn_soc / drv_wlan / mt_wifi / wlan / os / linux / gl_wext_priv.c

diff --git a/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c b/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
index 4cb19c1b3cef16628f3c6cacc3c2ddb634e76660..11dd7fd568754730f11769fe80e01b1027f3f4b7 100644 (file)
--- a/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
+++ b/drivers/misc/mediatek/connectivity/conn_soc/drv_wlan/mt_wifi/wlan/os/linux/gl_wext_priv.c
@@ -1334,12 +1334,15 @@ priv_get_int (
         {
                        wlanQueryDebugCode(prGlueInfo->prAdapter);
 
-                               kalMemSet(gucBufDbgCode, '.', sizeof(gucBufDbgCode));
-                if (copy_to_user(prIwReqData->data.pointer, gucBufDbgCode, prIwReqData->data.length)) {
-                     return -EFAULT;
-                }
-                else
-                     return status;
+                       kalMemSet(gucBufDbgCode, '.', sizeof(gucBufDbgCode));
+                       u4BufLen = prIwReqData->data.length;
+                       if (u4BufLen > sizeof(gucBufDbgCode))
+                               u4BufLen = sizeof(gucBufDbgCode);
+            if (copy_to_user(prIwReqData->data.pointer, gucBufDbgCode, u4BufLen)) {
+                 return -EFAULT;
+            }
+            else
+                 return status;
         }
 
     default:
@@ -1769,6 +1772,7 @@ priv_get_struct (
     UINT_32         u4BufLen = 0;
     PUINT_32        pu4IntBuf = NULL;
     int             status = 0;
+    UINT_32         u4CopyDataMax = 0;
 
     kalMemZero(&aucOidBuf[0], sizeof(aucOidBuf));
 
@@ -1839,9 +1843,11 @@ priv_get_struct (
         pu4IntBuf = (PUINT_32)prIwReqData->data.pointer;
         prNdisReq = (P_NDIS_TRANSPORT_STRUCT) &aucOidBuf[0];
 
-        if (copy_from_user(&prNdisReq->ndisOidContent[0],
-                prIwReqData->data.pointer,
-                prIwReqData->data.length)) {
+               u4CopyDataMax = sizeof(aucOidBuf) - OFFSET_OF(NDIS_TRANSPORT_STRUCT, ndisOidContent);
+               if ((prIwReqData->data.length > u4CopyDataMax)
+                       || copy_from_user(&prNdisReq->ndisOidContent[0],
+                                                               prIwReqData->data.pointer,
+                                                               prIwReqData->data.length)) {
             DBGLOG(REQ, INFO, ("priv_get_struct() copy_from_user oidBuf fail\n"));
             return -EFAULT;
         }