net: wireless: bcm4329: Add check for out of bounds scan buffer

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>

diff --git a/drivers/net/wireless/bcm4329/wl_iw.c b/drivers/net/wireless/bcm4329/wl_iw.c
index 6d83a259bf95c912850561bb542e62dfa149a8b9..21ccb4b525662c79ece514d275f91b2bb082bd42 100644 (file)
--- a/drivers/net/wireless/bcm4329/wl_iw.c
+++ b/drivers/net/wireless/bcm4329/wl_iw.c
@@ -2533,8 +2533,10 @@ wl_iw_get_aplist(
 
        for (i = 0, dwrq->length = 0; i < list->count && dwrq->length < IW_MAX_AP; i++) {
                bi = bi ? (wl_bss_info_t *)((uintptr)bi + dtoh32(bi->length)) : list->bss_info;
-               if ((uintptr)bi >= ((uintptr)list + buflen)) {
-                       WL_ERROR(("%s: Scan results out of bounds\n",__FUNCTION__));
+
+               if ((dtoh32(bi->length) > buflen) ||
+                   (((uintptr)bi + dtoh32(bi->length)) > ((uintptr)list + buflen))) {
+                       WL_ERROR(("%s: Scan results out of bounds: %u\n",__FUNCTION__,dtoh32(bi->length)));
                        kfree(list);
                        return -E2BIG;
                }
@@ -2610,8 +2612,10 @@ wl_iw_iscan_get_aplist(
                for (i = 0, dwrq->length = 0; i < list->count && dwrq->length < IW_MAX_AP; i++) {
                        bi = bi ? (wl_bss_info_t *)((uintptr)bi + dtoh32(bi->length))
                                  : list->bss_info;
-                       if ((uintptr)bi >= ((uintptr)list + WLC_IW_ISCAN_MAXLEN)) {
-                               WL_ERROR(("%s: Scan results out of bounds\n",__FUNCTION__));
+
+                       if ((dtoh32(bi->length) > WLC_IW_ISCAN_MAXLEN) ||
+                           (((uintptr)bi + dtoh32(bi->length)) > ((uintptr)list + WLC_IW_ISCAN_MAXLEN))) {
+                               WL_ERROR(("%s: Scan results out of bounds: %u\n",__FUNCTION__,dtoh32(bi->length)));
                                return -E2BIG;
                        }
 
@@ -3548,7 +3552,7 @@ wl_iw_get_scan_prep(
 
        if (!list) {
                WL_ERROR(("%s: Null list pointer",__FUNCTION__));
-               return -EINVAL;
+               return ret;
        }
 
        for (i = 0; i < list->count && i < IW_MAX_AP; i++)
@@ -3898,8 +3902,9 @@ wl_iw_iscan_get_scan(
            for (ii = 0; ii < list->count && apcnt < IW_MAX_AP; apcnt++, ii++) {
                bi = bi ? (wl_bss_info_t *)((uintptr)bi + dtoh32(bi->length)) : list->bss_info;
 
-               if ((uintptr)bi >= ((uintptr)list + WLC_IW_ISCAN_MAXLEN)) {
-                       WL_ERROR(("%s: Scan results out of bounds\n",__FUNCTION__));
+               if ((dtoh32(bi->length) > WLC_IW_ISCAN_MAXLEN) ||
+                   (((uintptr)bi + dtoh32(bi->length)) > ((uintptr)list + WLC_IW_ISCAN_MAXLEN))) {
+                       WL_ERROR(("%s: Scan results out of bounds: %u\n",__FUNCTION__,dtoh32(bi->length)));
                        return -E2BIG;
                }