[PATCH] hostap: Fix unlikely read overrun in CIS parsing

The Coverity checker (CID: 452, 453, 454, 455, 456) spotted this unlikely read overrun of CIS buffer. Abort if CISTPL_CONFIG or CISTPL_MANFID would not fit in buffer. Signed-off-by: Jouni Malinen <jkmaline@cc.hut.fi> Signed-off-by: John W. Linville <linville@tuxdriver.com>
author: Jouni Malinen <jkmaline@cc.hut.fi> 2006-03-19 22:21:47 -0500
committer: John W. Linville <linville@tuxdriver.com> 2006-03-23 16:16:58 -0500
commit: 3a1c42ad98fddab63e62b400ae98e6f609485efc (patch)
tree: 419225b1ff68508e04f08dfb98ca8b21d1e83fef
parent: 8abceaf1cf44b9d95bcc366fa277b33e292141c4 (diff)
1 files changed, 2 insertions, 2 deletions
diff --git a/drivers/net/wireless/hostap/hostap_plx.c b/drivers/net/wireless/hostap/hostap_plx.c
index 94fe2449f099..e258517ac85d 100644
--- a/drivers/net/wireless/hostap/hostap_plx.c
+++ b/drivers/net/wireless/hostap/hostap_plx.c
@@ -368,7 +368,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len,
                switch (cis[pos]) {
                case CISTPL_CONFIG:
-                        if (cis[pos + 1] < 1)
+                        if (cis[pos + 1] < 2)
                                goto cis_error;
                        rmsz = (cis[pos + 2] & 0x3c) >> 2;
                        rasz = cis[pos + 2] & 0x03;
@@ -390,7 +390,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len,
                        break;
                case CISTPL_MANFID:
-                        if (cis[pos + 1] < 4)
+                        if (cis[pos + 1] < 5)
                                goto cis_error;
                        manfid1 = cis[pos + 2] + (cis[pos + 3] << 8);
                        manfid2 = cis[pos + 4] + (cis[pos + 5] << 8);
author	Jouni Malinen <jkmaline@cc.hut.fi>	2006-03-19 22:21:47 -0500
committer	John W. Linville <linville@tuxdriver.com>	2006-03-23 16:16:58 -0500
commit	3a1c42ad98fddab63e62b400ae98e6f609485efc (patch)
tree	419225b1ff68508e04f08dfb98ca8b21d1e83fef
parent	8abceaf1cf44b9d95bcc366fa277b33e292141c4 (diff)

diff --git a/drivers/net/wireless/hostap/hostap_plx.c b/drivers/net/wireless/hostap/hostap_plx.c index 94fe2449f099..e258517ac85d 100644 --- a/drivers/net/wireless/hostap/hostap_plx.c +++ b/drivers/net/wireless/hostap/hostap_plx.c
@@ -368,7 +368,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len,
368		368
369	switch (cis[pos]) {	369	switch (cis[pos]) {
370	case CISTPL_CONFIG:	370	case CISTPL_CONFIG:
371	if (cis[pos + 1] < 1)	371	if (cis[pos + 1] < 2)
372	goto cis_error;	372	goto cis_error;
373	rmsz = (cis[pos + 2] & 0x3c) >> 2;	373	rmsz = (cis[pos + 2] & 0x3c) >> 2;
374	rasz = cis[pos + 2] & 0x03;	374	rasz = cis[pos + 2] & 0x03;
@@ -390,7 +390,7 @@ static int prism2_plx_check_cis(void __iomem *attr_mem, int attr_len,
390	break;	390	break;
391		391
392	case CISTPL_MANFID:	392	case CISTPL_MANFID:
393	if (cis[pos + 1] < 4)	393	if (cis[pos + 1] < 5)
394	goto cis_error;	394	goto cis_error;
395	manfid1 = cis[pos + 2] + (cis[pos + 3] << 8);	395	manfid1 = cis[pos + 2] + (cis[pos + 3] << 8);
396	manfid2 = cis[pos + 4] + (cis[pos + 5] << 8);	396	manfid2 = cis[pos + 4] + (cis[pos + 5] << 8);