9 лет назад · d639dde9ec
--- a/core/hdd/src/wlan_hdd_wext.c
+++ b/core/hdd/src/wlan_hdd_wext.c
@@ -2671,8 +2671,8 @@ static int __iw_set_genie(struct net_device *dev,
 
				 		switch (elementId) {
			
 
				 		case IE_EID_VENDOR:
			
 
				 			if ((IE_LEN_SIZE + IE_EID_SIZE + IE_VENDOR_OUI_SIZE) > eLen) {  /* should have at least OUI */
			
 
				-				kfree(base_genie);
			
 
				-				return -EINVAL;
			
 
				+				ret = -EINVAL;
			
 
				+				goto exit;
			
 
				 			}
			
 
				 
			
 
				 			if (0 == memcmp(&genie[0], "\x00\x50\xf2\x04", 4)) {
			
@@ -2688,8 +2688,8 @@ static int __iw_set_genie(struct net_device *dev,
 
				 					       "Cannot accommodate genIE. "
			
 
				 					       "Need bigger buffer space");
			
 
				 					QDF_ASSERT(0);
			
 
				-					kfree(base_genie);
			
 
				-					return -ENOMEM;
			
 
				+					ret = -ENOMEM;
			
 
				+					goto exit;
			
 
				 				}
			
 
				 				/* save to Additional IE ; it should be accumulated to handle WPS IE + other IE */
			
 
				 				memcpy(pWextState->genIE.addIEdata +
			
@@ -2699,6 +2699,12 @@ static int __iw_set_genie(struct net_device *dev,
 
				 				hddLog(QDF_TRACE_LEVEL_INFO,
			
 
				 				       "%s Set WPA IE (len %d)", __func__,
			
 
				 				       eLen + 2);
			
 
				+				if ((eLen + 2) > (sizeof(pWextState->WPARSNIE))) {
			
 
				+					hdd_warn("Cannot accommodate genIE, Need bigger buffer space");
			
 
				+					ret = -EINVAL;
			
 
				+					QDF_ASSERT(0);
			
 
				+					goto exit;
			
 
				+				}
			
 
				 				memset(pWextState->WPARSNIE, 0,
			
 
				 				       MAX_WPA_RSN_IE_LEN);
			
 
				 				memcpy(pWextState->WPARSNIE, genie - 2,
			
@@ -2721,8 +2727,8 @@ static int __iw_set_genie(struct net_device *dev,
 
				 					       "Cannot accommodate genIE. "
			
 
				 					       "Need bigger buffer space");
			
 
				 					QDF_ASSERT(0);
			
 
				-					kfree(base_genie);
			
 
				-					return -ENOMEM;
			
 
				+					ret = -ENOMEM;
			
 
				+					goto exit;
			
 
				 				}
			
 
				 				/* save to Additional IE ; it should be accumulated to handle WPS IE + other IE */
			
 
				 				memcpy(pWextState->genIE.addIEdata +
			
@@ -2733,6 +2739,12 @@ static int __iw_set_genie(struct net_device *dev,
 
				 		case DOT11F_EID_RSN:
			
 
				 			hddLog(LOG1, "%s Set RSN IE (len %d)", __func__,
			
 
				 			       eLen + 2);
			
 
				+			if ((eLen + 2) > (sizeof(pWextState->WPARSNIE))) {
			
 
				+				hdd_warn("Cannot accommodate genIE, Need bigger buffer space");
			
 
				+				ret = -EINVAL;
			
 
				+				QDF_ASSERT(0);
			
 
				+				goto exit;
			
 
				+			}
			
 
				 			memset(pWextState->WPARSNIE, 0, MAX_WPA_RSN_IE_LEN);
			
 
				 			memcpy(pWextState->WPARSNIE, genie - 2, (eLen + 2));
			
 
				 			pWextState->roamProfile.pRSNReqIE =
			
@@ -2743,15 +2755,15 @@ static int __iw_set_genie(struct net_device *dev,
 
				 		default:
			
 
				 			hddLog(LOGE, "%s Set UNKNOWN IE %X", __func__,
			
 
				 			       elementId);
			
 
				-			kfree(base_genie);
			
 
				-			return 0;
			
 
				+			goto exit;
			
 
				 		}
			
 
				 		genie += eLen;
			
 
				 		remLen -= eLen;
			
 
				 	}
			
 
				+exit:
			
 
				 	EXIT();
			
 
				 	kfree(base_genie);
			
 
				-	return 0;
			
 
				+	return ret;
			
 
				 }
			
 
				 
			
 
				 /**