net: wireless: bcmdhd: Do not print out device name on invalid length
(cherry picked from commit b149dd5d22c3e4c2faab0bb934a018888ff99ef3)
Signed-off-by: Patrick Tjin <pattjin@google.com>
Bug: 27335848
[fixes CVE-2016-0801]
Signed-off-by: Kees Cook <keescook@chromium.org>
Change-Id: I5cfc20061930080508f31ad2c198a4aca55caa6e
diff --git a/drivers/net/wireless/bcmdhd/wl_cfg80211.c b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
index 3e99061..861afc9 100644
--- a/drivers/net/wireless/bcmdhd/wl_cfg80211.c
+++ b/drivers/net/wireless/bcmdhd/wl_cfg80211.c
@@ -1325,10 +1325,12 @@
} else if (subelt_id == WPS_ID_DEVICE_NAME) {
char devname[100];
size_t namelen = MIN(subelt_len, sizeof(devname));
- memcpy(devname, subel, namelen);
- devname[namelen-1] = '\0';
- WL_DBG((" attr WPS_ID_DEVICE_NAME: %s (len %u)\n",
- devname, subelt_len));
+ if (namelen) {
+ memcpy(devname, subel, namelen);
+ devname[namelen - 1] = '\0';
+ WL_DBG((" attr WPS_ID_DEVICE_NAME: %s (len %u)\n",
+ devname, subelt_len));
+ }
} else if (subelt_id == WPS_ID_DEVICE_PWD_ID) {
valptr[0] = *subel;
valptr[1] = *(subel + 1);
