[PATCH 3/3] staging: wilc1000: refactor p2p action frames handling API's
Dan Carpenter
dan.carpenter at oracle.com
Tue Feb 11 06:51:01 UTC 2020
On Mon, Feb 10, 2020 at 06:36:01PM +0000, Ajay.Kathat at microchip.com wrote:
> + if (sta_ch == WILC_INVALID_CHANNEL)
> + return;
>
> while (index < len) {
This range checking was there in the original code, but it's not
correct. index and len are in terms of bytes so we know that we can
read one byte from &buf[index] but we are reading a wilc_attr_entry
struct which is larger than a type. The struct is actually flexibly
sized so this should be something like:
while (index + sizeof(struct wilc_attr_entry) <= len) {
e = (struct wilc_attr_entry *)&buf[index];
if (index + sizeof(struct wilc_attr_entry) +
le16_to_cpu(e->attr_len) > len)
break;
> - if (buf[index] == CHANLIST_ATTR_ID)
> - channel_list_attr_index = index;
> - else if (buf[index] == OPERCHAN_ATTR_ID)
> - op_channel_attr_index = index;
> - index += buf[index + 1] + 3;
> + e = (struct wilc_attr_entry *)&buf[index];
> + if (e->attr_type == IEEE80211_P2P_ATTR_CHANNEL_LIST)
> + ch_list_idx = index;
> + else if (e->attr_type == IEEE80211_P2P_ATTR_OPER_CHANNEL)
> + op_ch_idx = index;
> + if (ch_list_idx && op_ch_idx)
> + break;
> + index += le16_to_cpu(e->attr_len) + sizeof(*e);
> }
regards,
dan carpenter
More information about the devel
mailing list