From c7bcf7cf92e170e661de428828e99b5f93f3c1cb Mon Sep 17 00:00:00 2001
From: Dmitry Shmidt <dimitrysh@google.com>
Date: Thu, 4 Nov 2010 10:38:08 -0700
Subject: [PATCH] net: wireless: bcm4329: Add check for out of bounds scan
 buffer

Signed-off-by: Dmitry Shmidt <dimitrysh@google.com>
---
 drivers/net/wireless/bcm4329/wl_iw.c | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/drivers/net/wireless/bcm4329/wl_iw.c b/drivers/net/wireless/bcm4329/wl_iw.c
index 6d83a259bf95..21ccb4b52566 100644
--- a/drivers/net/wireless/bcm4329/wl_iw.c
+++ b/drivers/net/wireless/bcm4329/wl_iw.c
@@ -2533,8 +2533,10 @@ wl_iw_get_aplist(
 
 	for (i = 0, dwrq->length = 0; i < list->count && dwrq->length < IW_MAX_AP; i++) {
 		bi = bi ? (wl_bss_info_t *)((uintptr)bi + dtoh32(bi->length)) : list->bss_info;
-		if ((uintptr)bi >= ((uintptr)list + buflen)) {
-			WL_ERROR(("%s: Scan results out of bounds\n",__FUNCTION__));
+
+		if ((dtoh32(bi->length) > buflen) ||
+		    (((uintptr)bi + dtoh32(bi->length)) > ((uintptr)list + buflen))) {
+			WL_ERROR(("%s: Scan results out of bounds: %u\n",__FUNCTION__,dtoh32(bi->length)));
 			kfree(list);
 			return -E2BIG;
 		}
@@ -2610,8 +2612,10 @@ wl_iw_iscan_get_aplist(
 		for (i = 0, dwrq->length = 0; i < list->count && dwrq->length < IW_MAX_AP; i++) {
 			bi = bi ? (wl_bss_info_t *)((uintptr)bi + dtoh32(bi->length))
 			          : list->bss_info;
-			if ((uintptr)bi >= ((uintptr)list + WLC_IW_ISCAN_MAXLEN)) {
-				WL_ERROR(("%s: Scan results out of bounds\n",__FUNCTION__));
+
+			if ((dtoh32(bi->length) > WLC_IW_ISCAN_MAXLEN) ||
+			    (((uintptr)bi + dtoh32(bi->length)) > ((uintptr)list + WLC_IW_ISCAN_MAXLEN))) {
+				WL_ERROR(("%s: Scan results out of bounds: %u\n",__FUNCTION__,dtoh32(bi->length)));
 				return -E2BIG;
 			}
 
@@ -3548,7 +3552,7 @@ wl_iw_get_scan_prep(
 
 	if (!list) {
 		WL_ERROR(("%s: Null list pointer",__FUNCTION__));
-		return -EINVAL;
+		return ret;
 	}
 
 	for (i = 0; i < list->count && i < IW_MAX_AP; i++)
@@ -3898,8 +3902,9 @@ wl_iw_iscan_get_scan(
 	    for (ii = 0; ii < list->count && apcnt < IW_MAX_AP; apcnt++, ii++) {
 		bi = bi ? (wl_bss_info_t *)((uintptr)bi + dtoh32(bi->length)) : list->bss_info;
 
-		if ((uintptr)bi >= ((uintptr)list + WLC_IW_ISCAN_MAXLEN)) {
-			WL_ERROR(("%s: Scan results out of bounds\n",__FUNCTION__));
+		if ((dtoh32(bi->length) > WLC_IW_ISCAN_MAXLEN) ||
+		    (((uintptr)bi + dtoh32(bi->length)) > ((uintptr)list + WLC_IW_ISCAN_MAXLEN))) {
+			WL_ERROR(("%s: Scan results out of bounds: %u\n",__FUNCTION__,dtoh32(bi->length)));
 			return -E2BIG;
 		}
 
-- 
2.34.1