From 315cee426f87658a6799815845788fde965ddaad Mon Sep 17 00:00:00 2001

From: Denis Efremov <efremov@linux.com>

Date: Mon, 30 Sep 2019 23:31:47 +0300

Subject: [PATCH] ar5523: check NULL before memcpy() in ar5523_cmd()

Git-commit: 315cee426f87658a6799815845788fde965ddaad

Patch-mainline: v5.5-rc1

References: bsc#1051510

memcpy() call with "idata == NULL && ilen == 0" results in undefined

behavior in ar5523_cmd(). For example, NULL is passed in callchain

"ar5523_stat_work() -> ar5523_cmd_write() -> ar5523_cmd()". This patch

adds ilen check before memcpy() call in ar5523_cmd() to prevent an

undefined behavior.

Cc: Pontus Fuchs <pontus.fuchs@gmail.com>

Cc: Kalle Valo <kvalo@codeaurora.org>

Cc: "David S. Miller" <davem@davemloft.net>

Cc: David Laight <David.Laight@ACULAB.COM>

Cc: stable@vger.kernel.org

Signed-off-by: Denis Efremov <efremov@linux.com>

Signed-off-by: Kalle Valo <kvalo@codeaurora.org>

Acked-by: Takashi Iwai <tiwai@suse.de>

---

 drivers/net/wireless/ath/ar5523/ar5523.c | 3 ++-

 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/drivers/net/wireless/ath/ar5523/ar5523.c b/drivers/net/wireless/ath/ar5523/ar5523.c

index b94759daeacc..da2d179430ca 100644

--- a/drivers/net/wireless/ath/ar5523/ar5523.c

+++ b/drivers/net/wireless/ath/ar5523/ar5523.c

@@ -255,7 +255,8 @@ static int ar5523_cmd(struct ar5523 *ar, u32 code, const void *idata,

 	if (flags & AR5523_CMD_FLAG_MAGIC)

 		hdr->magic = cpu_to_be32(1 << 24);

-	memcpy(hdr + 1, idata, ilen);

+	if (ilen)

+		memcpy(hdr + 1, idata, ilen);

 	cmd->odata = odata;

 	cmd->olen = olen;

-- 

2.16.4