net: wireless: rockchip_wlan: realtek wifi: p2p ioctl illegal parameter protect

References: CNVD-C-2020-309986, CNVD-C-2020-309987, CNVD-C-2020-309988

Signed-off-by: Weiguo Hu <hwg@rock-chips.com>
Change-Id: I611e16f8155bac6431e0d786c29ef1425ff792d2

Author: Weiguo Hu

drivers/net/wireless/rockchip_wlan/rtl8188eu/os_dep/linux/ioctl_linux.c

@@ -4476,6 +4476,9 @@ static int rtw_p2p_set_intent(struct net_device *dev,
 	struct wifidirect_info			*pwdinfo = &(padapter->wdinfo);
 	u8							intent = pwdinfo->intent;
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	intent = rtw_atoi(extra);
@@ -4501,6 +4504,9 @@ static int rtw_p2p_set_listen_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	listen_ch = pwdinfo->listen_channel;	/*	Listen channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 	listen_ch = rtw_atoi(extra);
 
@@ -4528,6 +4534,9 @@ static int rtw_p2p_set_op_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	op_ch = pwdinfo->operating_channel;	/*	Operating channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	op_ch = (u8) rtw_atoi(extra);
@@ -13221,6 +13230,11 @@ static int _rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq
 		extra = buffer;
 
 	handler = priv[priv_args[k].cmd - SIOCIWFIRSTPRIV];
+	if (handler == NULL) {
+		err = -EINVAL;
+		goto exit;
+	}
+
 	err = handler(dev, NULL, &wdata, extra);
 
 	/* If we have to get some data */

drivers/net/wireless/rockchip_wlan/rtl8188fu/os_dep/linux/ioctl_linux.c

@@ -4916,6 +4916,9 @@ static int rtw_p2p_set_intent(struct net_device *dev,
 	struct wifidirect_info 			*pwdinfo= &(padapter->wdinfo);
 	u8							intent = pwdinfo->intent;
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[ wrqu->data.length ] = 0x00;
 
 	intent = rtw_atoi( extra );
@@ -4945,6 +4948,9 @@ static int rtw_p2p_set_listen_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo= &(padapter->wdinfo);
 	u8	listen_ch = pwdinfo->listen_channel;	//	Listen channel number
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[ wrqu->data.length ] = 0x00;
 	listen_ch = rtw_atoi( extra );
 
@@ -4976,6 +4982,9 @@ static int rtw_p2p_set_op_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo= &(padapter->wdinfo);
 	u8	op_ch = pwdinfo->operating_channel;	//	Operating channel number
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[ wrqu->data.length ] = 0x00;
 
 	op_ch = ( u8 ) rtw_atoi( extra );
@@ -13842,6 +13851,11 @@ static int _rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq
 		extra = buffer;
 
 	handler = priv[priv_args[k].cmd - SIOCIWFIRSTPRIV];
+	if (handler == NULL) {
+		err = -EINVAL;
+		goto exit;
+	}
+
 	err = handler(dev, NULL, &wdata, extra);
 
 	/* If we have to get some data */

drivers/net/wireless/rockchip_wlan/rtl8189es/os_dep/linux/ioctl_linux.c

@@ -4963,6 +4963,9 @@ static int rtw_p2p_set_intent(struct net_device *dev,
 	struct wifidirect_info 			*pwdinfo= &(padapter->wdinfo);
 	u8							intent = pwdinfo->intent;
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[ wrqu->data.length ] = 0x00;
 
 	intent = rtw_atoi( extra );
@@ -4992,6 +4995,9 @@ static int rtw_p2p_set_listen_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo= &(padapter->wdinfo);
 	u8	listen_ch = pwdinfo->listen_channel;	//	Listen channel number
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[ wrqu->data.length ] = 0x00;
 	listen_ch = rtw_atoi( extra );
 
@@ -5023,6 +5029,9 @@ static int rtw_p2p_set_op_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo= &(padapter->wdinfo);
 	u8	op_ch = pwdinfo->operating_channel;	//	Operating channel number
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[ wrqu->data.length ] = 0x00;
 
 	op_ch = ( u8 ) rtw_atoi( extra );
@@ -13797,6 +13806,11 @@ static int _rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq
 		extra = buffer;
 
 	handler = priv[priv_args[k].cmd - SIOCIWFIRSTPRIV];
+	if (handler == NULL) {
+		err = -EINVAL;
+		goto exit;
+	}
+
 	err = handler(dev, NULL, &wdata, extra);
 
 	/* If we have to get some data */

drivers/net/wireless/rockchip_wlan/rtl8189fs/os_dep/linux/ioctl_linux.c

@@ -3967,6 +3967,9 @@ static int rtw_p2p_set_intent(struct net_device *dev,
 	struct wifidirect_info			*pwdinfo = &(padapter->wdinfo);
 	u8							intent = pwdinfo->intent;
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	intent = rtw_atoi(extra);
@@ -3992,6 +3995,9 @@ static int rtw_p2p_set_listen_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	listen_ch = pwdinfo->listen_channel;	/*	Listen channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 	listen_ch = rtw_atoi(extra);
 
@@ -4019,6 +4025,9 @@ static int rtw_p2p_set_op_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	op_ch = pwdinfo->operating_channel;	/*	Operating channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	op_ch = (u8) rtw_atoi(extra);
@@ -12724,6 +12733,11 @@ static int _rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq
 		extra = buffer;
 
 	handler = priv[priv_args[k].cmd - SIOCIWFIRSTPRIV];
+	if (handler == NULL) {
+		err = -EINVAL;
+		goto exit;
+	}
+
 	err = handler(dev, NULL, &wdata, extra);
 
 	/* If we have to get some data */

drivers/net/wireless/rockchip_wlan/rtl8723bs/os_dep/linux/ioctl_linux.c

@@ -4114,6 +4114,9 @@ static int rtw_p2p_set_intent(struct net_device *dev,
 	struct wifidirect_info			*pwdinfo = &(padapter->wdinfo);
 	u8							intent = pwdinfo->intent;
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	intent = rtw_atoi(extra);
@@ -4139,6 +4142,9 @@ static int rtw_p2p_set_listen_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	listen_ch = pwdinfo->listen_channel;	/*	Listen channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 	listen_ch = rtw_atoi(extra);
 
@@ -4166,6 +4172,9 @@ static int rtw_p2p_set_op_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	op_ch = pwdinfo->operating_channel;	/*	Operating channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	op_ch = (u8) rtw_atoi(extra);
@@ -12918,6 +12927,11 @@ static int _rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq
 		extra = buffer;
 
 	handler = priv[priv_args[k].cmd - SIOCIWFIRSTPRIV];
+	if (handler == NULL) {
+		err = -EINVAL;
+		goto exit;
+	}
+
 	err = handler(dev, NULL, &wdata, extra);
 
 	/* If we have to get some data */

drivers/net/wireless/rockchip_wlan/rtl8723bu/os_dep/linux/ioctl_linux.c

@@ -4916,6 +4916,9 @@ static int rtw_p2p_set_intent(struct net_device *dev,
 	struct wifidirect_info 			*pwdinfo= &(padapter->wdinfo);
 	u8							intent = pwdinfo->intent;
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[ wrqu->data.length ] = 0x00;
 
 	intent = rtw_atoi( extra );
@@ -4945,6 +4948,9 @@ static int rtw_p2p_set_listen_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo= &(padapter->wdinfo);
 	u8	listen_ch = pwdinfo->listen_channel;	//	Listen channel number
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[ wrqu->data.length ] = 0x00;
 	listen_ch = rtw_atoi( extra );
 
@@ -4976,6 +4982,9 @@ static int rtw_p2p_set_op_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo= &(padapter->wdinfo);
 	u8	op_ch = pwdinfo->operating_channel;	//	Operating channel number
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[ wrqu->data.length ] = 0x00;
 
 	op_ch = ( u8 ) rtw_atoi( extra );
@@ -13723,6 +13732,11 @@ static int _rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq
 		extra = buffer;
 
 	handler = priv[priv_args[k].cmd - SIOCIWFIRSTPRIV];
+	if (handler == NULL) {
+		err = -EINVAL;
+		goto exit;
+	}
+
 	err = handler(dev, NULL, &wdata, extra);
 
 	/* If we have to get some data */

drivers/net/wireless/rockchip_wlan/rtl8723cs/os_dep/linux/ioctl_linux.c

@@ -4476,6 +4476,9 @@ static int rtw_p2p_set_intent(struct net_device *dev,
 	struct wifidirect_info			*pwdinfo = &(padapter->wdinfo);
 	u8							intent = pwdinfo->intent;
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	intent = rtw_atoi(extra);
@@ -4501,6 +4504,9 @@ static int rtw_p2p_set_listen_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	listen_ch = pwdinfo->listen_channel;	/*	Listen channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 	listen_ch = rtw_atoi(extra);
 
@@ -4528,6 +4534,9 @@ static int rtw_p2p_set_op_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	op_ch = pwdinfo->operating_channel;	/*	Operating channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	op_ch = (u8) rtw_atoi(extra);
@@ -13203,6 +13212,11 @@ static int _rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq
 		extra = buffer;
 
 	handler = priv[priv_args[k].cmd - SIOCIWFIRSTPRIV];
+	if (handler == NULL) {
+		err = -EINVAL;
+		goto exit;
+	}
+
 	err = handler(dev, NULL, &wdata, extra);
 
 	/* If we have to get some data */

drivers/net/wireless/rockchip_wlan/rtl8723ds/os_dep/linux/ioctl_linux.c

@@ -3973,6 +3973,9 @@ static int rtw_p2p_set_intent(struct net_device *dev,
 	struct wifidirect_info			*pwdinfo = &(padapter->wdinfo);
 	u8							intent = pwdinfo->intent;
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	intent = rtw_atoi(extra);
@@ -3998,6 +4001,9 @@ static int rtw_p2p_set_listen_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	listen_ch = pwdinfo->listen_channel;	/*	Listen channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 	listen_ch = rtw_atoi(extra);
 
@@ -4025,6 +4031,9 @@ static int rtw_p2p_set_op_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	op_ch = pwdinfo->operating_channel;	/*	Operating channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	op_ch = (u8) rtw_atoi(extra);
@@ -12751,6 +12760,11 @@ static int _rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq
 		extra = buffer;
 
 	handler = priv[priv_args[k].cmd - SIOCIWFIRSTPRIV];
+	if (handler == NULL) {
+		err = -EINVAL;
+		goto exit;
+	}
+
 	err = handler(dev, NULL, &wdata, extra);
 
 	/* If we have to get some data */

drivers/net/wireless/rockchip_wlan/rtl8821cs/os_dep/linux/ioctl_linux.c

@@ -3967,6 +3967,9 @@ static int rtw_p2p_set_intent(struct net_device *dev,
 	struct wifidirect_info			*pwdinfo = &(padapter->wdinfo);
 	u8							intent = pwdinfo->intent;
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	intent = rtw_atoi(extra);
@@ -3992,6 +3995,9 @@ static int rtw_p2p_set_listen_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	listen_ch = pwdinfo->listen_channel;	/*	Listen channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 	listen_ch = rtw_atoi(extra);
 
@@ -4019,6 +4025,9 @@ static int rtw_p2p_set_op_ch(struct net_device *dev,
 	struct wifidirect_info *pwdinfo = &(padapter->wdinfo);
 	u8	op_ch = pwdinfo->operating_channel;	/*	Operating channel number */
 
+	if (wrqu->data.length >= 4096)
+		return -1;
+
 	extra[wrqu->data.length] = 0x00;
 
 	op_ch = (u8) rtw_atoi(extra);
@@ -12739,6 +12748,11 @@ static int _rtw_ioctl_wext_private(struct net_device *dev, union iwreq_data *wrq
 		extra = buffer;
 
 	handler = priv[priv_args[k].cmd - SIOCIWFIRSTPRIV];
+	if (handler == NULL) {
+		err = -EINVAL;
+		goto exit;
+	}
+
 	err = handler(dev, NULL, &wdata, extra);
 
 	/* If we have to get some data */