diff options
author | Jouni Malinen <jkmaline@cc.hut.fi> | 2006-03-19 22:21:47 -0500 |
---|---|---|
committer | John W. Linville <linville@tuxdriver.com> | 2006-03-23 16:16:58 -0500 |
commit | 3a1c42ad98fddab63e62b400ae98e6f609485efc (patch) | |
tree | 419225b1ff68508e04f08dfb98ca8b21d1e83fef | |
parent | 8abceaf1cf44b9d95bcc366fa277b33e292141c4 (diff) |
[PATCH] hostap: Fix unlikely read overrun in CIS parsing
The Coverity checker (CID: 452, 453, 454, 455, 456) spotted this
unlikely read overrun of CIS buffer. Abort if CISTPL_CONFIG or
CISTPL_MANFID would not fit in buffer.
Signed-off-by: Jouni Malinen <jkmaline@cc.hut.fi>
Signed-off-by: John W. Linville <linville@tuxdriver.com>
-rw-r--r-- | drivers/net/wireless/hostap/hostap_plx.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/net/wireless/hostap/hostap_plx.c b/drivers/net/wireless/hostap/hostap_plx.c index 94fe2449f099..e258517ac85d 100644 --- a/drivers/net/wireless/hostap/hostap_plx.c +++ b/drivers/net/wireless/hostap/hostap_plx.c | |||
@@ -368,7 +368,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len, | |||
368 | 368 | ||
369 | switch (cis[pos]) { | 369 | switch (cis[pos]) { |
370 | case CISTPL_CONFIG: | 370 | case CISTPL_CONFIG: |
371 | if (cis[pos + 1] < 1) | 371 | if (cis[pos + 1] < 2) |
372 | goto cis_error; | 372 | goto cis_error; |
373 | rmsz = (cis[pos + 2] & 0x3c) >> 2; | 373 | rmsz = (cis[pos + 2] & 0x3c) >> 2; |
374 | rasz = cis[pos + 2] & 0x03; | 374 | rasz = cis[pos + 2] & 0x03; |
@@ -390,7 +390,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len, | |||
390 | break; | 390 | break; |
391 | 391 | ||
392 | case CISTPL_MANFID: | 392 | case CISTPL_MANFID: |
393 | if (cis[pos + 1] < 4) | 393 | if (cis[pos + 1] < 5) |
394 | goto cis_error; | 394 | goto cis_error; |
395 | manfid1 = cis[pos + 2] + (cis[pos + 3] << 8); | 395 | manfid1 = cis[pos + 2] + (cis[pos + 3] << 8); |
396 | manfid2 = cis[pos + 4] + (cis[pos + 5] << 8); | 396 | manfid2 = cis[pos + 4] + (cis[pos + 5] << 8); |