| commit | 73f2c8e933b1dcf432ac8c6965a6e67af630077f | |
| author | Kevin Cernekee <cernekee@chromium.org> | |
| Sun, 17 Sep 2017 04:08:22 +0000 (16 21:08 -0700) | ||
| committer | Kalle Valo <kvalo@codeaurora.org> | |
| Mon, 2 Oct 2017 14:07:00 +0000 (2 17:07 +0300) | ||
| tree | 7d13c96d617eaf3578ebb02ac0a48749a6313df2 | treesnapshot (tar.gz zip) |
| parent | 96cbe3d638e4287db6482b6223367d3e6cf5871e | commitdiff |
brcmfmac: Avoid possible out-of-bounds read
In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before
the length of rxframe is validated. This could lead to uninitialized
data being accessed (but not printed). Since we already have a
perfectly good endian-swapped copy of rxframe->chanspec in ch.chspec,
and ch.chspec is not modified by decchspec(), avoid the extra
assignment and use ch.chspec in the debug print.
Suggested-by: Mattias Nissler <mnissler@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
In brcmf_p2p_notify_rx_mgmt_p2p_probereq(), chanspec is assigned before
the length of rxframe is validated. This could lead to uninitialized
data being accessed (but not printed). Since we already have a
perfectly good endian-swapped copy of rxframe->chanspec in ch.chspec,
and ch.chspec is not modified by decchspec(), avoid the extra
assignment and use ch.chspec in the debug print.
Suggested-by: Mattias Nissler <mnissler@chromium.org>
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
| drivers/net/wireless/broadcom/brcm80211/brcmfmac/p2p.c | diffblobblamehistory |