diff options
| author | Hante Meuleman <hante.meuleman@broadcom.com> | 2016-09-19 07:09:58 -0400 |
|---|---|---|
| committer | Kalle Valo <kvalo@codeaurora.org> | 2016-09-26 13:35:55 -0400 |
| commit | a7ed7828ecda0c2b5e0d7f55dedd4230afd4b583 (patch) | |
| tree | c54fc83075e4fa6816d93487f5f705007c702598 /drivers/net/wireless/broadcom | |
| parent | 2b7425f3629b38c438f890c20c5faeca64b144ff (diff) | |
brcmfmac: fix out of bound access on clearing wowl wake indicator
Clearing the wowl wakeindicator happens with a rather odd
construction where the string "clear" is used to set the iovar
wowl_wakeind. This was implemented incorrectly as it caused an
out of bound access. Use an intermediate variable of correct
length and copy string in that. Problem was found using coverity.
Reviewed-by: Arend Van Spriel <arend.vanspriel@broadcom.com>
Reviewed-by: Franky Lin <franky.lin@broadcom.com>
Reviewed-by: Pieter-Paul Giesberts <pieter-paul.giesberts@broadcom.com>
Signed-off-by: Hante Meuleman <hante.meuleman@broadcom.com>
Signed-off-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Diffstat (limited to 'drivers/net/wireless/broadcom')
| -rw-r--r-- | drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c index 0f2667e95e81..d97d6b153d6a 100644 --- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c +++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | |||
| @@ -3703,6 +3703,7 @@ static void brcmf_configure_wowl(struct brcmf_cfg80211_info *cfg, | |||
| 3703 | struct cfg80211_wowlan *wowl) | 3703 | struct cfg80211_wowlan *wowl) |
| 3704 | { | 3704 | { |
| 3705 | u32 wowl_config; | 3705 | u32 wowl_config; |
| 3706 | struct brcmf_wowl_wakeind_le wowl_wakeind; | ||
| 3706 | u32 i; | 3707 | u32 i; |
| 3707 | 3708 | ||
| 3708 | brcmf_dbg(TRACE, "Suspend, wowl config.\n"); | 3709 | brcmf_dbg(TRACE, "Suspend, wowl config.\n"); |
| @@ -3744,8 +3745,9 @@ static void brcmf_configure_wowl(struct brcmf_cfg80211_info *cfg, | |||
| 3744 | if (!test_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state)) | 3745 | if (!test_bit(BRCMF_VIF_STATUS_CONNECTED, &ifp->vif->sme_state)) |
| 3745 | wowl_config |= BRCMF_WOWL_UNASSOC; | 3746 | wowl_config |= BRCMF_WOWL_UNASSOC; |
| 3746 | 3747 | ||
| 3747 | brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", "clear", | 3748 | memcpy(&wowl_wakeind, "clear", 6); |
| 3748 | sizeof(struct brcmf_wowl_wakeind_le)); | 3749 | brcmf_fil_iovar_data_set(ifp, "wowl_wakeind", &wowl_wakeind, |
| 3750 | sizeof(wowl_wakeind)); | ||
| 3749 | brcmf_fil_iovar_int_set(ifp, "wowl", wowl_config); | 3751 | brcmf_fil_iovar_int_set(ifp, "wowl", wowl_config); |
| 3750 | brcmf_fil_iovar_int_set(ifp, "wowl_activate", 1); | 3752 | brcmf_fil_iovar_int_set(ifp, "wowl_activate", 1); |
| 3751 | brcmf_bus_wowl_config(cfg->pub->bus_if, true); | 3753 | brcmf_bus_wowl_config(cfg->pub->bus_if, true); |