]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/commitdiff
projects / mirror_ubuntu-jammy-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1382993)
ar5523: check NULL before memcpy() in ar5523_cmd()
authorDenis Efremov <efremov@linux.com>
Mon, 30 Sep 2019 20:31:47 +0000 (23:31 +0300)
committerKalle Valo <kvalo@codeaurora.org>
Wed, 2 Oct 2019 17:21:28 +0000 (20:21 +0300)
memcpy() call with "idata == NULL && ilen == 0" results in undefined
behavior in ar5523_cmd(). For example, NULL is passed in callchain
"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch
adds ilen check before memcpy() call in ar5523_cmd() to prevent an
undefined behavior.

Cc: Pontus Fuchs <pontus.fuchs@gmail.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: David Laight <David.Laight@ACULAB.COM>
Cc: stable@vger.kernel.org
Signed-off-by: Denis Efremov <efremov@linux.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
drivers/net/wireless/ath/ar5523/ar5523.c patch | blob | blame | history

diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index b94759daeaccf68c84d71b9938627bb6a2b1c793..da2d179430ca5a39e20239f0a7c6215730c6dde3 100644 (file)
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata,
 
        if (flags & AR5523_CMD_FLAG_MAGIC)
                hdr->magic = cpu_to_be32(1 << 24);
-       memcpy(hdr + 1, idata, ilen);
+       if (ilen)
+               memcpy(hdr + 1, idata, ilen);
 
        cmd->odata = odata;
        cmd->olen = olen;
Ubuntu Jammy Linux kernel mirror