From: Tristan Madani <tristan@talencesecurity.com>

The firmware-controlled sc_ssid_len and sc_pwd_len values are used as
nla_put sizes from fixed-size mailbox buffers (32 and 64 bytes) without
bounds checking. Values exceeding the buffer sizes cause out-of-bounds
reads delivered to userspace via nl80211 vendor events.

Clamp the lengths to the mailbox buffer sizes before use.

Fixes: e93e15fb47e5 ("wlcore/wl18xx: handle smart config events")
Signed-off-by: Tristan Madani <tristan@talencesecurity.com>
---
drivers/net/wireless/ti/wl18xx/event.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/drivers/net/wireless/ti/wl18xx/event.c b/drivers/net/wireless/ti/wl18xx/event.c
index XXXXXXX..XXXXXXX 100644
--- a/drivers/net/wireless/ti/wl18xx/event.c
+++ b/drivers/net/wireless/ti/wl18xx/event.c
@@ -82,6 +82,9 @@ static int wlcore_smart_config_decode_event(struct wl1271 *wl,
 {
 	struct sk_buff *skb;

+	ssid_len = min_t(u8, ssid_len, 32);
+	pwd_len = min_t(u8, pwd_len, 64);
+
 	wl1271_debug(DEBUG_EVENT, "SMART_CONFIG_DECODE_EVENT_ID");
 	wl1271_dump_ascii(DEBUG_EVENT, "SSID:", ssid, ssid_len);