diff options
author | John W. Linville <linville@tuxdriver.com> | 2009-05-20 10:51:41 -0400 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2009-05-20 14:29:54 -0400 |
commit | 267d493b322b05984048aef8ea9b5b213490bbe0 (patch) | |
tree | 167d6c2615990375e5a3af682f7bc3431f5851b5 /drivers/net/wireless/airo.c | |
parent | 875690c378d64d9ee2de15cad8206d3f11ae5096 (diff) |
airo: fix airo_get_encode{,ext} buffer overflow like I mean it...
"airo: airo_get_encode{,ext} potential buffer overflow" was actually a
no-op, due to an unrecognized type overflow in an assignment. Oddly,
gcc only seems to tell me about it when using -Wextra...grrr...
Signed-off-by: John W. Linville <linville@tuxdriver.com>
Diffstat (limited to 'drivers/net/wireless/airo.c')
-rw-r--r-- | drivers/net/wireless/airo.c | 23 |
1 files changed, 14 insertions, 9 deletions
diff --git a/drivers/net/wireless/airo.c b/drivers/net/wireless/airo.c index d7347573912..9eabf4d1f2e 100644 --- a/drivers/net/wireless/airo.c +++ b/drivers/net/wireless/airo.c | |||
@@ -6467,6 +6467,7 @@ static int airo_get_encode(struct net_device *dev, | |||
6467 | { | 6467 | { |
6468 | struct airo_info *local = dev->ml_priv; | 6468 | struct airo_info *local = dev->ml_priv; |
6469 | int index = (dwrq->flags & IW_ENCODE_INDEX) - 1; | 6469 | int index = (dwrq->flags & IW_ENCODE_INDEX) - 1; |
6470 | int wep_key_len; | ||
6470 | u8 buf[16]; | 6471 | u8 buf[16]; |
6471 | 6472 | ||
6472 | if (!local->wep_capable) | 6473 | if (!local->wep_capable) |
@@ -6500,11 +6501,13 @@ static int airo_get_encode(struct net_device *dev, | |||
6500 | dwrq->flags |= index + 1; | 6501 | dwrq->flags |= index + 1; |
6501 | 6502 | ||
6502 | /* Copy the key to the user buffer */ | 6503 | /* Copy the key to the user buffer */ |
6503 | dwrq->length = get_wep_key(local, index, &buf[0], sizeof(buf)); | 6504 | wep_key_len = get_wep_key(local, index, &buf[0], sizeof(buf)); |
6504 | if (dwrq->length != -1) | 6505 | if (wep_key_len < 0) { |
6505 | memcpy(extra, buf, dwrq->length); | ||
6506 | else | ||
6507 | dwrq->length = 0; | 6506 | dwrq->length = 0; |
6507 | } else { | ||
6508 | dwrq->length = wep_key_len; | ||
6509 | memcpy(extra, buf, dwrq->length); | ||
6510 | } | ||
6508 | 6511 | ||
6509 | return 0; | 6512 | return 0; |
6510 | } | 6513 | } |
@@ -6617,7 +6620,7 @@ static int airo_get_encodeext(struct net_device *dev, | |||
6617 | struct airo_info *local = dev->ml_priv; | 6620 | struct airo_info *local = dev->ml_priv; |
6618 | struct iw_point *encoding = &wrqu->encoding; | 6621 | struct iw_point *encoding = &wrqu->encoding; |
6619 | struct iw_encode_ext *ext = (struct iw_encode_ext *)extra; | 6622 | struct iw_encode_ext *ext = (struct iw_encode_ext *)extra; |
6620 | int idx, max_key_len; | 6623 | int idx, max_key_len, wep_key_len; |
6621 | u8 buf[16]; | 6624 | u8 buf[16]; |
6622 | 6625 | ||
6623 | if (!local->wep_capable) | 6626 | if (!local->wep_capable) |
@@ -6661,11 +6664,13 @@ static int airo_get_encodeext(struct net_device *dev, | |||
6661 | memset(extra, 0, 16); | 6664 | memset(extra, 0, 16); |
6662 | 6665 | ||
6663 | /* Copy the key to the user buffer */ | 6666 | /* Copy the key to the user buffer */ |
6664 | ext->key_len = get_wep_key(local, idx, &buf[0], sizeof(buf)); | 6667 | wep_key_len = get_wep_key(local, idx, &buf[0], sizeof(buf)); |
6665 | if (ext->key_len != -1) | 6668 | if (wep_key_len < 0) { |
6666 | memcpy(extra, buf, ext->key_len); | ||
6667 | else | ||
6668 | ext->key_len = 0; | 6669 | ext->key_len = 0; |
6670 | } else { | ||
6671 | ext->key_len = wep_key_len; | ||
6672 | memcpy(extra, buf, ext->key_len); | ||
6673 | } | ||
6669 | 6674 | ||
6670 | return 0; | 6675 | return 0; |
6671 | } | 6676 | } |