bpf: fix arraymap NULL deref and missing overflow and zero size checks

[deliverable/linux.git] / net / wireless / sme.c

diff --git a/net/wireless/sme.c b/net/wireless/sme.c
index dc1668ff543b90927d9cb4e08b38897ac8e97f6c..0ab3711c79a01ae98cdaaafa64bf12ac94e80271 100644 (file)
--- a/net/wireless/sme.c
+++ b/net/wireless/sme.c
@@ -80,9 +80,18 @@ static int cfg80211_conn_scan(struct wireless_dev *wdev)
        if (!request)
                return -ENOMEM;
 
-       if (wdev->conn->params.channel)
+       if (wdev->conn->params.channel) {
+               enum ieee80211_band band = wdev->conn->params.channel->band;
+               struct ieee80211_supported_band *sband =
+                       wdev->wiphy->bands[band];
+
+               if (!sband) {
+                       kfree(request);
+                       return -EINVAL;
+               }
                request->channels[0] = wdev->conn->params.channel;
-       else {
+               request->rates[band] = (1 << sband->n_bitrates) - 1;
+       } else {
                int i = 0, j;
                enum ieee80211_band band;
                struct ieee80211_supported_band *bands;