--- a/ecm_interface.c +++ b/ecm_interface.c @@ -8014,7 +8014,7 @@ static int ecm_interface_wifi_event_iwev /* * Copy the base data structure to get iwe->len */ - memcpy(&iwe_buf, pos, IW_EV_LCP_LEN); + memcpy(&iwe_buf, pos, min_t(size_t, IW_EV_LCP_LEN, (size_t)(end - pos))); /* * Check that len is valid and that we have that much in the buffer. @@ -8031,10 +8031,10 @@ static int ecm_interface_wifi_event_iwev dpos = (char *)&iwe_buf.u.data.length; dlen = dpos - (char *)&iwe_buf; - memcpy(dpos, pos + IW_EV_LCP_LEN, sizeof(struct iw_event) - dlen); + memcpy(dpos, pos + IW_EV_LCP_LEN, min_t(size_t, sizeof(struct iw_event) - dlen, (size_t)(end - pos - IW_EV_LCP_LEN))); if (custom + iwe->u.data.length > end) { - DEBUG_WARN("Invalid buffer length received in the event iwe->u.data.length %d\n", iwe->u.data.length); + DEBUG_WARN("Invalid buffer length received in the event iwe->u.data.length %d\n", (int)iwe->u.data.length); return -1; } @@ -8042,7 +8042,7 @@ static int ecm_interface_wifi_event_iwev * Check the flags of iw event if it indicates the IW authorized signal. */ if (iwe->u.data.flags == ECM_INTERFACE_WIFI_EVENT_NODE_AUTH) { - dbuf = kzalloc((iwe->u.data.length + 1), GFP_KERNEL); + dbuf = kzalloc(iwe->u.data.length, GFP_KERNEL); if (!dbuf) { DEBUG_WARN("Failed to allocated a buffer to process the custom event"); return -1; @@ -8065,16 +8065,16 @@ static int ecm_interface_wifi_event_iwev return 0; } - if ((iwe->len > sizeof(struct iw_event)) || (iwe->len + pos) > end) { + if ((iwe->len > sizeof(struct iw_event)) || (iwe->len + pos > end)) { return -1; } /* * Do the copy again with the full length. */ - memcpy(&iwe_buf, pos, iwe->len); + memcpy(&iwe_buf, pos, min_t(size_t, iwe->len, (size_t)(end - pos))); - if (iwe->cmd == IWEVEXPIRED) { + if (iwe->cmd == IWEVEXPIRED && iwe->len >= sizeof(struct iw_event)) { DEBUG_INFO("STA %pM leaving\n", (uint8_t *)iwe->u.addr.sa_data); ecm_interface_node_connections_defunct((uint8_t *)iwe->u.addr.sa_data, ECM_DB_IP_VERSION_IGNORE); } else {