wil6210: missing length check in wil_cfg80211_mgmt_tx

Add a length check in wil_cfg80211_mgmt_tx to detect unsigned integer
overflow.

Signed-off-by: Lior David <qca_liord@qca.qualcomm.com>
Signed-off-by: Maya Erez <qca_merez@qca.qualcomm.com>
Signed-off-by: Kalle Valo <kvalo@qca.qualcomm.com>

diff --git a/drivers/net/wireless/ath/wil6210/cfg80211.c b/drivers/net/wireless/ath/wil6210/cfg80211.c
index c3d3c0c0e206a21a9f3c959a8e8940120a9ac5a3..771a534d6ca90e69d4de171a8d086955767956d6 100644 (file)
--- a/drivers/net/wireless/ath/wil6210/cfg80211.c
+++ b/drivers/net/wireless/ath/wil6210/cfg80211.c
@@ -901,7 +901,7 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
                         u64 *cookie)
 {
        const u8 *buf = params->buf;
-       size_t len = params->len;
+       size_t len = params->len, total;
        struct wil6210_priv *wil = wiphy_to_wil(wiphy);
        int rc;
        bool tx_status = false;
@@ -926,7 +926,11 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
        if (len < sizeof(struct ieee80211_hdr_3addr))
                return -EINVAL;
 
-       cmd = kmalloc(sizeof(*cmd) + len, GFP_KERNEL);
+       total = sizeof(*cmd) + len;
+       if (total < len)
+               return -EINVAL;
+
+       cmd = kmalloc(total, GFP_KERNEL);
        if (!cmd) {
                rc = -ENOMEM;
                goto out;
@@ -936,7 +940,7 @@ int wil_cfg80211_mgmt_tx(struct wiphy *wiphy, struct wireless_dev *wdev,
        cmd->len = cpu_to_le16(len);
        memcpy(cmd->payload, buf, len);
 
-       rc = wmi_call(wil, WMI_SW_TX_REQ_CMDID, cmd, sizeof(*cmd) + len,
+       rc = wmi_call(wil, WMI_SW_TX_REQ_CMDID, cmd, total,
                      WMI_SW_TX_COMPLETE_EVENTID, &evt, sizeof(evt), 2000);
        if (rc == 0)
                tx_status = !evt.evt.status;