Add checks for p->length and remove some goto statements

This commit is contained in:
kimocoder 2020-07-12 00:33:50 +00:00
parent 058ef814b8
commit 4339edf38f
3 changed files with 15 additions and 38 deletions

View File

@ -2406,7 +2406,7 @@ u32 mp_query_psd(PADAPTER pAdapter, u8 *data)
psd_data = rtw_GetPSDData(pAdapter, i - psd_pts); psd_data = rtw_GetPSDData(pAdapter, i - psd_pts);
else else
psd_data = rtw_GetPSDData(pAdapter, i); psd_data = rtw_GetPSDData(pAdapter, i);
sprintf(data, "%s%x ", data, psd_data); sprintf(data + strlen(data), "%x ", psd_data);
i++; i++;
} }

View File

@ -1,5 +1,5 @@
PACKAGE_NAME="realtek-rtl88xxau" PACKAGE_NAME="realtek-rtl88xxau"
PACKAGE_VERSION="5.6.4.2~20200313" PACKAGE_VERSION="5.6.4.2~20200712"
CLEAN="'make' clean" CLEAN="'make' clean"
BUILT_MODULE_NAME[0]=88XXau BUILT_MODULE_NAME[0]=88XXau
PROCS_NUM=`nproc` PROCS_NUM=`nproc`

View File

@ -6867,21 +6867,17 @@ static int wpa_supplicant_ioctl(struct net_device *dev, struct iw_point *p)
/* down(&ieee->wx_sem); */ /* down(&ieee->wx_sem); */
if (p->length < sizeof(struct ieee_param) || !p->pointer) { if (!p->pointer || p->length != sizeof(struct ieee_param))
ret = -EINVAL; return -EINVAL;
goto out;
}
param = (struct ieee_param *)rtw_malloc(p->length); param = (struct ieee_param *)rtw_malloc(p->length);
if (param == NULL) {
ret = -ENOMEM; if (param == NULL)
goto out; return -ENOMEM;
}
if (copy_from_user(param, p->pointer, p->length)) { if (copy_from_user(param, p->pointer, p->length)) {
rtw_mfree((u8 *)param, p->length); rtw_mfree((u8 *)param, p->length);
ret = -EFAULT; return -EFAULT;
goto out;
} }
switch (param->cmd) { switch (param->cmd) {
@ -6915,12 +6911,7 @@ static int wpa_supplicant_ioctl(struct net_device *dev, struct iw_point *p)
rtw_mfree((u8 *)param, p->length); rtw_mfree((u8 *)param, p->length);
out:
/* up(&ieee->wx_sem); */
return ret; return ret;
} }
#ifdef CONFIG_AP_MODE #ifdef CONFIG_AP_MODE
@ -7727,32 +7718,21 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
* so, we just check hw_init_completed * so, we just check hw_init_completed
*/ */
if (!rtw_is_hw_init_completed(padapter)) { if (!rtw_is_hw_init_completed(padapter))
ret = -EPERM; return -EPERM;
goto out;
}
if (!p->pointer || p->length != sizeof(struct ieee_param))
/* if (p->length < sizeof(struct ieee_param) || !p->pointer){ */ return -EINVAL;
if (!p->pointer) {
ret = -EINVAL;
goto out;
}
param = (struct ieee_param *)rtw_malloc(p->length); param = (struct ieee_param *)rtw_malloc(p->length);
if (param == NULL) { if (param == NULL)
ret = -ENOMEM; return -ENOMEM;
goto out;
}
if (copy_from_user(param, p->pointer, p->length)) { if (copy_from_user(param, p->pointer, p->length)) {
rtw_mfree((u8 *)param, p->length); rtw_mfree((u8 *)param, p->length);
ret = -EFAULT; return -EFAULT;
goto out;
} }
/* RTW_INFO("%s, cmd=%d\n", __FUNCTION__, param->cmd); */
switch (param->cmd) { switch (param->cmd) {
case RTL871X_HOSTAPD_FLUSH: case RTL871X_HOSTAPD_FLUSH:
@ -7845,10 +7825,7 @@ static int rtw_hostapd_ioctl(struct net_device *dev, struct iw_point *p)
rtw_mfree((u8 *)param, p->length); rtw_mfree((u8 *)param, p->length);
out:
return ret; return ret;
} }
#endif #endif