diff mbox series

[v2] ar5523: check NULL before memcpy() in ar5523_cmd()

Message ID 20190930203147.10140-1-efremov@linux.com (mailing list archive)
State Accepted
Commit 315cee426f87658a6799815845788fde965ddaad
Delegated to: Kalle Valo
Headers show
Series [v2] ar5523: check NULL before memcpy() in ar5523_cmd() | expand

Commit Message

Denis Efremov (Oracle) Sept. 30, 2019, 8:31 p.m. UTC 
memcpy() call with "idata == NULL && ilen == 0" results in undefined
behavior in ar5523_cmd(). For example, NULL is passed in callchain
"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch
adds ilen check before memcpy() call in ar5523_cmd() to prevent an
undefined behavior.

Cc: Pontus Fuchs <pontus.fuchs@gmail.com>
Cc: Kalle Valo <kvalo@codeaurora.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: David Laight <David.Laight@ACULAB.COM>
Cc: stable@vger.kernel.org
Signed-off-by: Denis Efremov <efremov@linux.com>
---
V2: check ilen instead of idata as suggested by David Laight.

 drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Kalle Valo Oct. 2, 2019, 5:22 p.m. UTC | #1 
Denis Efremov <efremov@linux.com> wrote:

> memcpy() call with "idata == NULL && ilen == 0" results in undefined
> behavior in ar5523_cmd(). For example, NULL is passed in callchain
> "ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch
> adds ilen check before memcpy() call in ar5523_cmd() to prevent an
> undefined behavior.
> 
> Cc: Pontus Fuchs <pontus.fuchs@gmail.com>
> Cc: Kalle Valo <kvalo@codeaurora.org>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: David Laight <David.Laight@ACULAB.COM>
> Cc: stable@vger.kernel.org
> Signed-off-by: Denis Efremov <efremov@linux.com>
> Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Patch applied to ath-next branch of ath.git, thanks.

315cee426f87 ar5523: check NULL before memcpy() in ar5523_cmd()
diff mbox series

Patch

diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c
index b94759daeacc..da2d179430ca 100644
--- a/drivers/net/wireless/ath/ar5523/ar5523.c
+++ b/drivers/net/wireless/ath/ar5523/ar5523.c
@@ -255,7 +255,8 @@  static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata,
 
 	if (flags & AR5523_CMD_FLAG_MAGIC)
 		hdr->magic = cpu_to_be32(1 << 24);
-	memcpy(hdr + 1, idata, ilen);
+	if (ilen)
+		memcpy(hdr + 1, idata, ilen);
 
 	cmd->odata = odata;
 	cmd->olen = olen;