rtlwifi: Fix potential overflow on P2P code commit 8c55dedb795be8ec0cf488f98c03a1c2176f7fb1 upstream. Nicolas Waisman noticed that even though noa_len is checked for a compatible length it's still possible to overrun the buffers of p2pinfo since there's no check on the upper bound of noa_num. Bound noa_num against P2P_MAX_NOA_NUM. Reported-by: Nicolas Waisman <nico@semmle.com> Signed-off-by: Laura Abbott <labbott@redhat.com> Acked-by: Ping-Ke Shih <pkshih@realtek.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit: 5a917b4542ff5d804f63423973815c3b1dbdef70 [log] [tgz]
author: Laura Abbott <labbott@redhat.com> Fri Oct 18 07:43:21 2019 -0400
committer: Todd Kjos <tkjos@google.com> Fri Dec 13 17:24:57 2019 -0800
tree: 2b519738538b397e6c376cd3b2e0ce720aeadb18
parent: f3b9aac7daaceab821bcf6cac18d7f6270163e75 [diff]
diff --git a/drivers/net/wireless/realtek/rtlwifi/ps.c b/drivers/net/wireless/realtek/rtlwifi/ps.c
index f6d0061..e129780 100644
--- a/drivers/net/wireless/realtek/rtlwifi/ps.c
+++ b/drivers/net/wireless/realtek/rtlwifi/ps.c

@@ -774,6 +774,9 @@
 				return;
 			} else {
 				noa_num = (noa_len - 2) / 13;
+				if (noa_num > P2P_MAX_NOA_NUM)
+					noa_num = P2P_MAX_NOA_NUM;
+
 			}
 			noa_index = ie[3];
 			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
@@ -868,6 +871,9 @@
 				return;
 			} else {
 				noa_num = (noa_len - 2) / 13;
+				if (noa_num > P2P_MAX_NOA_NUM)
+					noa_num = P2P_MAX_NOA_NUM;
+
 			}
 			noa_index = ie[3];
 			if (rtlpriv->psc.p2p_ps_info.p2p_ps_mode ==
commit	5a917b4542ff5d804f63423973815c3b1dbdef70	[log] [tgz]
author	Laura Abbott <labbott@redhat.com>	Fri Oct 18 07:43:21 2019 -0400
committer	Todd Kjos <tkjos@google.com>	Fri Dec 13 17:24:57 2019 -0800
tree	2b519738538b397e6c376cd3b2e0ce720aeadb18
parent	f3b9aac7daaceab821bcf6cac18d7f6270163e75 [diff]