staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan()

Dan Carpenter · gregkh · commit 87107518d7a9 · 2021-03-10T09:23:30.000+01:00
We need to cap len at IW_ESSID_MAX_SIZE (32) to avoid memory corruption. This can be controlled by the user via the ioctl. Fixes: 5f53d8c ("Staging: add rtl8192SU wireless usb driver") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: stable <stable@vger.kernel.org> Link: https://lore.kernel.org/r/YEHoAWMOSZBUw91F@mwanda Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/drivers/staging/rtl8192u/r8192U_wx.c b/drivers/staging/rtl8192u/r8192U_wx.c
@@ -331,8 +331,10 @@ static int r8192_wx_set_scan(struct net_device *dev, struct iw_request_info *a,
 		struct iw_scan_req *req = (struct iw_scan_req *)b;
 
 		if (req->essid_len) {
-			ieee->current_network.ssid_len = req->essid_len;
-			memcpy(ieee->current_network.ssid, req->essid, req->essid_len);
+			int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);
+
+			ieee->current_network.ssid_len = len;
+			memcpy(ieee->current_network.ssid, req->essid, len);
 		}
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -331,8 +331,10 @@ static int r8192_wx_set_scan(struct net_device dev, struct iw_request_info a,`
`331`	`331`	`struct iw_scan_req req = (struct iw_scan_req )b;`
`332`	`332`
`333`	`333`	`if (req->essid_len) {`
`334`		`- ieee->current_network.ssid_len = req->essid_len;`
`335`		`- memcpy(ieee->current_network.ssid, req->essid, req->essid_len);`
	`334`	`+ int len = min_t(int, req->essid_len, IW_ESSID_MAX_SIZE);`
	`335`	`+`
	`336`	`+ ieee->current_network.ssid_len = len;`
	`337`	`+ memcpy(ieee->current_network.ssid, req->essid, len);`
`336`	`338`	`}`
`337`	`339`	`}`
`338`	`340`