net: wireless: bcmdhd: fix buffer overrun in wl_cfg80211_add_iw_ie

added boundary check not to override allocated buffer.

Signed-off-by: Insun Song <insun.song@broadcom.com>
Change-Id: I76211db7ef595fc41cf5d5d58de79cedfe80e521
Bug: 32125310
Reviewed-on: http://git-master/r/1478872
GVS: Gerrit_Virtual_Submit
Reviewed-by: Gagan Grover <ggrover@nvidia.com>
Tested-by: Sunny Li <sunnyl@nvidia.com>
Reviewed-by: Hayden Du <haydend@nvidia.com>

diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index efc2ac09f2f14694371573114a84c996ab780422..46f93ec992c3c40ea9027004cc0de0c11421c29a 100755 (executable)
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -14160,6 +14160,10 @@ wl_cfg80211_add_iw_ie(struct bcm_cfg80211 *cfg, struct net_device *ndev, s32 bss
        if (ie_id != DOT11_MNG_INTERWORKING_ID)
                return BCME_UNSUPPORTED;
 
+       if (data_len > IW_IES_MAX_BUF_LEN) {
+               WL_ERR(("wrong data_len:%d\n", data_len));
+               return BCME_BADARG;
+       }
        /* Validate the pktflag parameter */
        if ((pktflag & ~(VNDR_IE_BEACON_FLAG | VNDR_IE_PRBRSP_FLAG |
                    VNDR_IE_ASSOCRSP_FLAG | VNDR_IE_AUTHRSP_FLAG |