mwifiex: correct max IE length check for WPS IE

This patch is bug fix for an invalid boundry check for WPS IE.
We should check max IE length against defined macro; instead we were
checking it against size of pointer. Fix it.
Also move IE length check before allocation of memory.

Signed-off-by: Avinash Patil <patila@marvell.com>
Signed-off-by: Bing Zhao <bzhao@marvell.com>
Signed-off-by: John W. Linville <linville@tuxdriver.com>

1 files changed, 6 insertions, 5 deletions

diff --git a/drivers/net/wireless/mwifiex/sta_ioctl.c b/drivers/net/wireless/mwifiex/sta_ioctl.c
index 206c3e038072..c071ce91c8b2 100644
--- a/drivers/net/wireless/mwifiex/sta_ioctl.c
+++ b/drivers/net/wireless/mwifiex/sta_ioctl.c
@@ -797,15 +797,16 @@ static int mwifiex_set_wps_ie(struct mwifiex_private *priv,
                                u8 *ie_data_ptr, u16 ie_len)
 {
         if (ie_len) {
-                priv->wps_ie = kzalloc(MWIFIEX_MAX_VSIE_LEN, GFP_KERNEL);
-                if (!priv->wps_ie)
-                        return -ENOMEM;
-                if (ie_len > sizeof(priv->wps_ie)) {
+                if (ie_len > MWIFIEX_MAX_VSIE_LEN) {
                         dev_dbg(priv->adapter->dev,
                                 "info: failed to copy WPS IE, too big\n");
-                        kfree(priv->wps_ie);
                         return -1;
                 }
+
+                priv->wps_ie = kzalloc(MWIFIEX_MAX_VSIE_LEN, GFP_KERNEL);
+                if (!priv->wps_ie)
+                        return -ENOMEM;
+
                 memcpy(priv->wps_ie, ie_data_ptr, ie_len);
                 priv->wps_ie_len = ie_len;
                 dev_dbg(priv->adapter->dev, "cmd: Set wps_ie_len=%d IE=%#x\n",