wifi: cw1200: cap SSID length in cw1200_do_join()

Dan Carpenter · jmberg-intel · commit f8f15f6742b8 · 2025-09-03T09:37:51.000+02:00
If the ssidie[1] length is more that 32 it leads to memory corruption. Fixes: a910e4a ("cw1200: add driver for the ST-E CW1100 & CW1200 WLAN chipsets") Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> Link: https://patch.msgid.link/e91fb43fcedc4893b604dfb973131661510901a7.1756456951.git.dan.carpenter@linaro.org Signed-off-by: Johannes Berg <johannes.berg@intel.com>
diff --git a/drivers/net/wireless/st/cw1200/sta.c b/drivers/net/wireless/st/cw1200/sta.c
@@ -1291,7 +1291,7 @@ static void cw1200_do_join(struct cw1200_common *priv)
 		rcu_read_lock();
 		ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);
 		if (ssidie) {
-			join.ssid_len = ssidie[1];
+			join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN);
 			memcpy(join.ssid, &ssidie[2], join.ssid_len);
 		}
 		rcu_read_unlock();

Original file line number	Diff line number	Diff line change
`@@ -1291,7 +1291,7 @@ static void cw1200_do_join(struct cw1200_common *priv)`
`1291`	`1291`	`rcu_read_lock();`
`1292`	`1292`	`ssidie = ieee80211_bss_get_ie(bss, WLAN_EID_SSID);`
`1293`	`1293`	`if (ssidie) {`
`1294`		`- join.ssid_len = ssidie[1];`
	`1294`	`+ join.ssid_len = min(ssidie[1], IEEE80211_MAX_SSID_LEN);`
`1295`	`1295`	`memcpy(join.ssid, &ssidie[2], join.ssid_len);`
`1296`	`1296`	`}`
`1297`	`1297`	`rcu_read_unlock();`